Google has released fixes for three critical-severity vulnerabilities in the Media framework of its Android operating system, which if exploited could allow a remote attacker to execute code.
The remote code execution (RCE) flaws are part of Google’s October 2019 Android Security Bulletin, which deployed fixes for high and critical-severity vulnerabilities tied to nine CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 18 high and critical-severity vulnerabilities.
The three critical flaws (CVE-2019-2184, CVE-2019-2185, CVE-2019-2186) exist in Android’s Media framework.