Google maintains an active team dedicated to finding vulnerabilities in all types of devices, the zero projectand now he has announced that has found eighteen vulnerabilities in Exynos processors. They are zero-day bugs, so they were unknown to the affected company before discovering them and have not yet been fixed. That is why Google has been quite sparing in details when talking about some of these vulnerabilities, the most serious.
These are four that allow remote code execution on a mobile just by knowing the phone number and by attacking the device’s baseband chip. It is in charge of connecting the mobile to the network and therefore any vulnerability that may affect it tends to be very serious. From Project Zero they allege that an experienced hacker could use these and other vulnerabilities to attack a device silently. Only one has a code for now, CVE-2023-24033, and the other three are waiting to be assigned one.
Google has indicated that the other fourteen vulnerabilities, six have code (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076) and the rest are pending. assigned one. They are not serious vulnerabilities since the attack would have to be carried out by the operator itself or by someone with local access to the device. Of these they have published the complete information because 90 days have passed since they notified Samsung without having been solved.
The affected devices are various Samsung phones (S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04), those of Vivo (S16, S15, S6, X70, X60 and X30), the Google Pixel 6 and 7, and any vehicle with an Exynos Auto T5123. Google has already patched some versions of its phones in the latest March Android patch.