New security vulnerability affects Pixel 6, Galaxy S22 series

Looks like Pixel 6 and Galaxy S22 owners may have another security vulnerability to contend with.

Security researcher and Northwestern University PhD student Zhenpeng Lin posted a video on Twitter showcasing the vulnerability. Lin claims the vulnerability can enable arbitrary read and write, privilege escalation, and disable SELinux security protections. In other words, it’s a doozy.

Android Police notes that none of the technical details about the vulnerability have been published. However, the vulnerability impacts Android devices running with Linux kernel version based on version 5.10 — namely, the Pixel 6 series, Galaxy S22 line, and some others. You can check your kernel version by heading to Settings > About phone > Android version > Kernel version.

Moreover, Android Police reports that the vulnerability appears to use some sort of memory access exploit, indicating it could be similar to the Dirty Pipe security flaw that plagued new Pixel and Galaxy smartphones earlier this year.

There’s also some debate over whether Lin’s Twitter post violates Google’s disclosure rules for security bugs. Lin told Android Police that the post was a “proof of concept” and he believes it doesn’t violate the rules. Additionally, Lin said he disclosed the flaw to Google on July 5th.

However, as Android Police notes, Google’s rules request “reasonable advance notice” and that reports going against this “usually don’t qualify.” In other words, it sounds like a public disclosure before alerting Google could impact reward payouts. Typically with security exploits, researchers only issue public disclosures as a final attempt to get companies to fix the flaw. Most tech companies offer disclosure programs and bug bounties and encourage researchers to disclose exploits to them first, then go public once a fix is available. Google’s internal research division, Project Zero, has a 90-day response policy for vulnerabilities that aren’t actively being exploited, and a seven-day policy for actively-exploited flaws.

Finally, Android Police notes that given the timeline and how Google’s security patches work, the issue might not be addressed until September. However, other manufacturers might be able to pull the fix into their own patches earlier, such as what Samsung did with Dirty Pipe.

Source: Zhenpeng Lin (Twitter) Via: Android Police

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TheDailyCheck is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected] The content will be deleted within 24 hours.