Experts disclosed details of a zero-day vulnerability that affects the Android mobile operating system. The high-severity zero-day issue resides in the driver for the Video For Linux 2 (V4L2) interface.
The vulnerability was reported by Lance Jiang and Moony Li of TrendMicro Research through the Zero Day Initiative (ZDI) program.
“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute
“The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”
Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.
“The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”
The vulnerability resides in the way the Video for Linux (V4L2) driver handles input data, it could be exploited by an attacker to elevate permissions to
Trend Micro published details of the issue after Google published the September 2019 Android Security Bulletin, that did not fix the fla
Experts pointed out that the attackers need local access in order to exploit the vulnerability, this means they should have already compromised the device. The issue could be chained with other vulnerabilities in order to take full control of a device, post the initial infection.
Jiang and Li reported the issue to Google in March.
Experts warn of the severity of privilege escalation vulnerabilities that could be used by attackers to gain root access on the devices and carry out many malicious activities.
At the time of writing, there is no workaround for this vulnerability.
Below the timeline for this issue:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.