The zero-day vulnerability could enable privilege escalation, and is not part of Google’s Android September security update.
Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device.
The specific flaw exists within the v4l2 (Video4Linux 2) driver in Android. When exploited, a component within the v4l2 “does not validate the existence of an object prior to performing operations on the object,” according to researchers with Zero Day Initiative (ZDI). Researchers said an attacker with physical access to the Android device could leverage the flaw to escalate privileges in the context of the kernel, which typically allows an attacker to take control of the targeted device.
“An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability,” according to ZDI researchers who discovered the flaw and publicly disclosed the bug on Wednesday,