Researchers are warning of a high-severity zero-day vulnerability in Google’s Android operating system, which if exploited could give a local attacker escalated privileges on a target’s device.
The specific flaw exists within the v4l2 (Video4Linux 2) driver, which is the Android media driver. When exploited, a component within the v4l2 “does not validate the existence of an object prior to performing operations on the object,” according to researchers with Zero Day Initiative (ZDI). Researchers said an attacker with physical access to the Android device could leverage the flaw to escalate privileges in the context of the kernel, which typically allows an attacker to take control of the targeted device.
“An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability,” according to ZDI researchers who discovered the flaw and publicly disclosed the bug on Wednesday,