Home / Threat Intelligence bulletins / Three actively exploited vulnerabilities discovered in Android devices

Target Industry

Indiscriminate, opportunistic targeting.


Three actively exploited vulnerabilities were disclosed within the most recent Google security update for the Android operating system. The three security flaws are tracked as follows:

  • CVE-2023-26083 (CVSSv3 Score: 3.3): Memory leak flaw in the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips
  • CVE-2021-29256 (CVSSv3 Score: 8.8): Unprivileged information disclosure and root privilege escalation flaw also impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers
  • CVE-2023-2136 (CVSSv3 Score: 9.8): Integer overflow bug in Skia.

A critical-level security flaw, tracked as CVE-2023-21250 (CVSSv3 Score: 9.8), was also disclosed, which allows for remote code execution (RCE) capabilities.


  • Successful exploitation of CVE-2023-26083 allows a non-privileged threat actor to make valid GPU processing operations that expose sensitive kernel metadata
  • Successful exploitation of CVE-2021-29256 allows an unprivileged threat actor to achieve access to freed memory, leading to information disclosure or root privilege escalation
  • Successful exploitation of CVE-2023-2136 allows a remote threat actor who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page
  • Successful exploitation of CVE-2023-21250 allows for threat actors to conduct RCE operations with no user interaction or additional execution privileges.

Vulnerability Detection

Google has released security patches for these vulnerabilities. As such, previous versions are vulnerable to potential exploitation.

Affected Products

  • CVE-2023-26083: Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips
  • CVE-2021-29256: Bifrost and Midgard Arm Mali GPU kernel drivers
  • CVE-2023-2136: Skia
  • CVE-2023-21250: Details yet to be released

Containment, Mitigations & Remediations

It is strongly recommended that users of the affected products adhere to the mitigation and remediation steps outlined in the July 2023 Android Security Bulletin.

Threat Landscape

Android occupies a significant portion of the mobile operating system market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Android devices have become a prime target. Due to the fact that Android products has become an integral aspect of both personal and business operations, threat actors will continue to exploit vulnerabilities contained within the product in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies


Common Weakness Enumeration:

CWE-401 – Missing Release of Memory after Effective Lifetime


Common Weakness Enumeration:

CWE-416 – Use After Free


Common Weakness Enumeration:

CWE-190 – Integer Overflow or Wraparound

Further Information

Google Security Bulletin


An Intelligence Terminology Yardstick to showing the likelihood of events