Google addressed a zero-day vulnerability affecting Android devices that use Qualcomm chipsets which is actively exploited in the wild.

Google has addressed a zero-day vulnerability, tracked as CVE-2020-11261, affecting Android devices that use Qualcomm chipsets. According to the IT giant, threat actors are actively exploiting the vulnerability in attacks in the wild.

The CVE-2020-11261 flaw, is an improper input validation in Graphics, rated with a CVSS score 8.4.

“Memory corruption due to improper check to return error when user application requests memory allocation of a huge size” reads the description provided by Qualcomm.

The vulnerability could be exploited through an attacker-engineered app requests access to a huge portion of the device’s memory.

“There are indications that CVE-2020-11261 may be under limited, targeted exploitation” reads a note added to the January security bulletin last week.

The CVE-2020-11261 flaw was reported to Qualcomm by Google’s Android Security team on August 20, 2020 and was addressed in January 2021.

The issue was rated as high severity because it requires local access to be exploited, this means that attackers need physical access to the vulnerable device.

Google did not provide technical details about the attacks either attribute them to certain threat actors.

[출처 : SecurityAffairs / 3.24.]