New security patches for Google’s Nexus devices address seven vulnerabilities, two of which are critical and could allow for remote code execution when handling media files.
The updates, released on Monday, are part of Google’s recently introduced monthly patch cycle and are available for Nexus devices running both Android 5.1 (Lollipop) and 6.0 (Marshmallow). The source code for the fixes will also be added to the Android Open Source Project (AOSP) over the next 48 hours.
The most serious flaws patched in this release are tracked as CVE-2015-6608 and CVE-2015-6609, and are located in the mediaserver and libutils components of Android, respectively. Both vulnerabilities can be exploited remotely through specially crafted media files.