As part of the October 2023 security updates for Android, Google released patches for 51 vulnerabilities on Monday. These patches included solutions for two zero-day issues that were used in malicious attacks. CVE-2023-4863, a heap buffer overflow in the Libwebp library that results in an out-of-bounds memory write and remote code execution (RCE), is the first exploited vulnerability. It has a CVSS score of 8.8.
Google states that the vulnerability affects the System component and rates it as having a ‘critical’ severity in the Android security bulletin for October 2023. Apple and the Citizen Lab group at The University of Toronto’s Munk School detected and reported the problem, despite the tech giant’s lack of detailed details on the observed in-the-wild exploitation.