Another month is here, and Android finds itself with a mixture of critical and high vulnerabilities.

Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found. However, with the inclusion of Broadcom and Qualcomm components, there are seven in total.
Let's take a look at the critical and high issues discovered in the most recent report.
Before we dive into what's included with this month's Android Security Bulletin, it's always good to know what security release is installed on your device. As I've been testing the waters of the Android Q Beta 6, it should come as no surprise that my daily driver, a Pixel 3, is running a current security patch (August 1, 2019).
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
To find out what patch level you are running, open Settings and go to Security. Under Security update you'll find your security patch level (Figure A).
Figure A: The latest security patch has been applied.
Terminology
You will find different types of vulnerabilities listed. Possible types include:
- RCE—Remote code execution
- EoP—Elevation of privilege
- ID—Information disclosure
- DoS—Denial of service
08/01/2019 patch level
Critical flaws
This patch level included the only non-third-party critical issue. This particular vulnerability was found in the system and was marked as such because it could enable a remote attacker, using a malicious PAC (Proxy Auto-Config) file, to execute arbitrary code within the context of a privileged process. The related bug (listed by CVE, Reference, and Type) is:
CVE-2019-2130 A-132073833 RCE
High issues
The first issue marked high, affects the Android runtime and is marked as such because it could enable a local attacker to bypass user interaction requirements to gain access to additional permissions on a device. The related bug (listed by CVE, Reference, and Type) is:
CVE-2019-2120 A-130821293 EoP
There are two issues, marked high, that affect the framework. These vulnerabilities are marked as such because they could enable locally installed malicious applications to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-2121 A-131105245 EoP
- CVE-2019-2122 A-127605586 EoP
Next we find three vulnerabilities, marked high, in the media framework. These issues are marked as such because they could enable a remote attacker, using a specifically crafted malicious file to execute arbitrary code within the context of an unprivileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-2126 A-127702368 RCE
- CVE-2019-2128 A-132647222 EoP
- CVE-2019-2129 A-124781927 ID
There were a number of issues, marked high, found in the system. These issues were marked as such because they could enable a remote attacker, using a specifically crafted PAC file, to execute arbitrary code within the context of a privileged process on a device. The related bugs (listed by CVE, Reference, and Type) are:
- CVE-2019-2131 A-119115683 EoP
- CVE-2019-2132 A-130568701 EoP
- CVE-2019-2133 A-132082342 EoP
- CVE-2019-2134 A-132083376 EoP
- CVE-2019-2135 A-125900276 ID
- CVE-2019-2136 A-132650049 ID
- CVE-2019-2137 A-132438333 DoS
08/05/2019 Patch Level
Critical issues
The only vulnerabilities marked critical were found in both Broadcom and Qualcomm components. The first of these issues was found in the Broadcom bluetooth component and was marked as such because it could enable a remote attacker, using a malicious transmission, to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:
CVE-2019-11516 A-132966035 RCE
The next issue, marked critical, was found in a open-source Qualcomm component. The details of this issue can be found in the appropriate Qualcomm security alert. The related bug (listed by CVE, Reference, Qualcomm Reference, and Component) is:
CVE-2019-10492 A-132170519 QC-CR#2389432 HLOS
There were two vulnerabilities marked high, found in closed-source Qualcomm components. The details surrounding these issues can be found in the appropriate Qualcomm security alert. The related bugs (listed by CVE and Reference) are:
- CVE-2019-10539 A-135126805
- CVE-2019-10540 A-135126805
High issues
The first issue marked high was found in the media framework and was listed as such because it could enable a local attacker to execute arbitrary code within the context of a privileged process on a device. The related bug (listed by CVE, Reference, and Type) is:
CVE-2019-2127 A-124899895 EoP
The next high issue was found in the system and was marked as such because it could enable a proximate attack to access device data. The related bug (listed by CVE, Reference, and Type) is:
CVE-2019-9506 A-124301137 ID
There were four issues, marked high, found in Qualcomm open-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE, Reference, Qualcomm Reference, and Component) are:
- CVE-2019-10509 A-132171185 QC-CR#2359039 BTHOST
- CVE-2019-10510 A-132173563 QC-CR#2305025 BTHOST
- CVE-2019-10499 A-134440231 QC-CR#2398099 MProc
- CVE-2019-10538 A-132193791 QC-CR#2448763 WLAN
The final issues, marked high, were found in Qualcomm closed-source components. The details of these issues can be found in the appropriate Qualcomm Security Alert. Related bugs (listed by CVE and Reference) are:
- CVE-2019-10489 A-132108754
- CVE-2019-2294 A-132108952
Upgrade and update
The developers will work diligently to patch vulnerabilities, but it is up to end users to ensure the fixes find their way to devices. Make sure you not only check for updates, but you apply them as soon as they become available.
Also see
- Android Security Bulletin April 2019: What you need to know (TechRepublic)
- Android Security Bulletin March 2019: What you need to know (TechRepublic)
- Android Security Bulletin Feb 2019: What you need to know (TechRepublic)
- The 10 best smartphones you can buy right now (sorry, Huawei) (ZDNet)
- 5G smartphones: A cheat sheet (TechRepublic)
- Smartphones and mobile tech: More must-read coverage (TechRepublic on Flipboard)
- IT pro's guide to the evolution and impact of 5G technology (TechRepublic download)
- Best mobile VPN services for 2019 (CNET)
- The 10 most important iPhone apps of all time (Download.com)