Experts disclosed details of a zero-day vulnerability that affects the Android mobile operating system. The high-severity zero-day issue resides in the driver for the Video For Linux 2 (V4L2) interface.
The vulnerability was reported by Lance Jiang and Moony Li of TrendMicro Research through the Zero Day Initiative (ZDI) program.
“This vulnerability allows local attackers to escalate privileges on vulnerable installations of Google Android. An attacker must first obtain the ability to execute
“The specific flaw exists within the v4l2 driver. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”
Google learned about it in March and acknowledged it. The company, though, said that a fix would become available but gave no date for delivering a patch.
“The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this to escalate privileges in the context of the kernel.”
The vulnerability resides in the way the Video for Linux (V4L2) driver handles input data, it could be exploited by an attacker to elevate permissions to
Trend Micro published details of the issue after Google published the September 2019 Android Security Bulletin, that did not fix the fla
Experts pointed out that the attackers need local access in order to exploit the vulnerability, this means they should have already compromised the device. The issue could be chained with other vulnerabilities in order to take full control of a device, post the initial infection.
Jiang and Li reported the issue to Google in March.
Experts warn of the severity of privilege escalation vulnerabilities that could be used by attackers to gain root access on the devices and carry out many malicious activities.
At the time of writing, there is no workaround for this vulnerability.
Below the timeline for this issue: