Critical ‘remote escalation’ flaw in Android 12 fixed in Feb security patch batch

From theregister.com

The February edition of Google’s monthly Android security update tackles, among other vulnerabilities, an eyebrow-raising critical flaw in Android 12.

That bug, CVE-2021-39675, is present in the mobile OS’s System component, and can be abused to achieve remote escalation of privilege without the user needing to do anything at all, and “with no additional execution privileges needed,” as Google cryptically put it.

The web giant hasn’t revealed much more info about the vulnerability, though it referenced a source-level change in Android’s wireless NFC code that brings in an additional check to make sure a size parameter isn’t too large. You can now imagine how this is a “remote escalation of privilege” bug that needs no user interaction to exploit.

Presumably Google doesn’t want to go too much into detail at this stage as it’s in the middle of rolling out its patches.

Read more…