Android 10 Security Release Notes

Published August 20, 2019 | Updated September 17, 2019

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 10. Android 10 devices with a security patch level of 2019-09-01 or later are protected against these issues (Android 10, as released on AOSP, has a default security patch level of 2019-09-01). To learn how to check a device's security patch level, see How to check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 10 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 10. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google Service Mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 10—Vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 10. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVE References Type Severity
CVE-2019-9290 A-113039724 EoP Moderate
CVE-2019-9429 A-110035108 EoP Moderate

Framework

CVE References Type Severity
CVE-2019-9262 A-111792351 RCE Moderate
CVE-2019-9256 A-111921829 RCE Moderate
CVE-2019-9280 A-119322269 EoP Moderate
CVE-2019-9460 A-62535446 EoP Moderate
CVE-2019-9288 A-111363077 EoP Moderate
CVE-2019-9384 A-120568007 EoP Moderate
CVE-2019-9269 A-36899497 EoP Moderate
CVE-2019-9374 A-129476618 EoP Moderate
CVE-2019-9378 A-124539196 EoP Moderate
CVE-2019-9380 A-123700098 EoP Moderate
CVE-2019-9407 A-112434609 EoP Moderate
CVE-2019-9351 A-128599864 ID Moderate
CVE-2019-9281 A-32748076 ID Moderate
CVE-2019-9377 A-128599663 ID Moderate
CVE-2019-9292 A-115384617 ID Moderate
CVE-2019-9424 A-110941092 ID Moderate
CVE-2019-9399 A-115635664 ID Moderate
CVE-2019-9421 A-111215250 ID Moderate
CVE-2019-9428 A-110150807 ID Moderate
CVE-2019-9323 A-30770233 ID Moderate
CVE-2019-9438 A-77821568 ID Moderate
CVE-2019-9373 A-130173029 DoS Moderate
CVE-2019-9376 A-129287265 DoS Moderate
CVE-2019-9372 A-132782448 DoS Moderate

Library

CVE References Type Severity
CVE-2019-9423 A-110986616 EoP Moderate
CVE-2019-9459 A-79593569 EoP Moderate

Media framework

CVE References Type Severity
CVE-2019-9297 A-112890242 RCE Moderate
CVE-2019-9298 A-112892194 RCE Moderate
CVE-2019-9299 A-112663886 RCE Moderate
CVE-2019-9300 A-112661610 RCE Moderate
CVE-2019-9301 A-112663384 RCE Moderate
CVE-2019-9302 A-112661356 RCE Moderate
CVE-2019-9303 A-112661057 RCE Moderate
CVE-2019-9304 A-112662270 RCE Moderate
CVE-2019-9305 A-112661835 RCE Moderate
CVE-2019-9306 A-112661348 RCE Moderate
CVE-2019-9307 A-112661893 RCE Moderate
CVE-2019-9308 A-112661742 RCE Moderate
CVE-2019-9346 A-128433933 RCE Moderate
CVE-2019-9357 A-112662995 RCE Moderate
CVE-2019-9382 A-120874654 RCE Moderate
CVE-2019-9405 A-112890225 RCE Moderate
CVE-2019-9278 A-112537774 RCE Moderate
CVE-2019-9310 A-112891546 EoP Moderate
CVE-2019-9232 A-122675483 ID Moderate
CVE-2019-9247 A-120426166 ID Moderate
CVE-2019-9282 A-113211371 ID Moderate
CVE-2019-9293 A-117661116 ID Moderate
CVE-2019-9294 A-111764444 ID Moderate
CVE-2019-9313 A-112005441 ID Moderate
CVE-2019-9314 A-112329563 ID Moderate
CVE-2019-9315 A-112326216 ID Moderate
CVE-2019-9316 A-112052432 ID Moderate
CVE-2019-9317 A-112052258 ID Moderate
CVE-2019-9318 A-111764725 ID Moderate
CVE-2019-9319 A-111762100 ID Moderate
CVE-2019-9320 A-111761624 ID Moderate
CVE-2019-9321 A-111208713 ID Moderate
CVE-2019-9322 A-111128067 ID Moderate
CVE-2019-9325 A-112001302 ID Moderate
CVE-2019-9334 A-112859934 ID Moderate
CVE-2019-9335 A-112328051 ID Moderate
CVE-2019-9336 A-112326322 ID Moderate
CVE-2019-9337 A-112204376 ID Moderate
CVE-2019-9338 A-111762686 ID Moderate
CVE-2019-9347 A-109891727 ID Moderate
CVE-2019-9359 A-111407302 ID Moderate
CVE-2019-9361 A-111762807 ID Moderate
CVE-2019-9362 A-120426980 ID Moderate
CVE-2019-9364 A-73364631 ID Moderate
CVE-2019-9366 A-112052062 ID Moderate
CVE-2019-9370 A-133880046 ID Moderate
CVE-2019-9406 A-112552517 ID Moderate
CVE-2019-9408 A-112380157 ID Moderate
CVE-2019-9409 A-112272091 ID Moderate
CVE-2019-9410 A-112204443 ID Moderate
CVE-2019-9411 A-112204845 ID Moderate
CVE-2019-9412 A-112006096 ID Moderate
CVE-2019-9415 A-111805098 ID Moderate
CVE-2019-9416 A-111804142 ID Moderate
CVE-2019-9433 A-80479354 ID Moderate
CVE-2019-9252 A-73339042 ID Moderate
CVE-2019-9268 A-77474014 DoS Moderate
CVE-2019-9283 A-112663564 DoS Moderate
CVE-2019-9348 A-128431761 DoS Moderate
CVE-2019-9349 A-124330204 DoS Moderate
CVE-2019-9352 A-124253062 DoS Moderate
CVE-2019-9371 A-132783254 DoS Moderate
CVE-2019-9379 A-124329638 DoS Moderate
CVE-2019-9418 A-111450210 DoS Moderate
CVE-2019-9420 A-111272481 DoS Moderate

System

CVE References Type Severity
CVE-2019-9363 A-123584306 RCE Moderate
CVE-2019-9365 A-109838537 RCE Moderate
CVE-2018-9425 A-73884967 EoP Moderate
CVE-2019-9463 A-113584607 EoP Moderate
CVE-2019-9291 A-112159179 EoP Moderate
CVE-2019-9386 A-122361874 EoP Moderate
CVE-2019-9375 A-129344244 EoP Moderate
CVE-2019-9238 A-121267042 EoP Moderate
CVE-2019-9257 A-113572342 EoP Moderate
CVE-2019-9258 A-113655028 EoP Moderate
CVE-2019-9259 A-113575306 EoP Moderate
CVE-2019-9263 A-73136824 EoP Moderate
CVE-2019-9266 A-119501435 EoP Moderate
CVE-2019-9295 A-36885811 EoP Moderate
CVE-2019-9309 A-117985575 EoP Moderate
CVE-2019-9350 A-129562815 EoP Moderate
CVE-2019-9358 A-120156401 EoP Moderate
CVE-2018-9489 A-77286245 ID Moderate
CVE-2019-9440 A-37637796 ID Moderate
CVE-2019-9277 A-68016944 ID Moderate
CVE-2019-9233 A-122529021 ID Moderate
CVE-2019-9234 A-122465453 ID Moderate
CVE-2019-9235 A-122323053 ID Moderate
CVE-2019-9236 A-122322613 ID Moderate
CVE-2019-9237 A-121325979 ID Moderate
CVE-2019-9239 A-121263487 ID Moderate
CVE-2019-9240 A-121150966 ID Moderate
CVE-2019-9241 A-121036603 ID Moderate
CVE-2019-9242 A-121035878 ID Moderate
CVE-2019-9243 A-120905706 ID Moderate
CVE-2019-9244 A-120865977 ID Moderate
CVE-2019-9246 A-120428637 ID Moderate
CVE-2019-9249 A-120255805 ID Moderate
CVE-2019-9250 A-120276962 ID Moderate
CVE-2019-9251 A-120274615 ID Moderate
CVE-2019-9253 A-109769728 ID Moderate
CVE-2019-9260 A-113495295 ID Moderate
CVE-2019-9265 A-37994606 ID Moderate
CVE-2019-9272 A-11596047 ID Moderate
CVE-2019-9284 A-111850706 ID Moderate
CVE-2019-9287 A-78287084 ID Moderate
CVE-2019-9289 A-79883824 ID Moderate
CVE-2018-9581 A-111698366 ID Moderate
CVE-2019-9296 A-112162089 ID Moderate
CVE-2019-9312 A-78288018 ID Moderate
CVE-2019-9326 A-111215173 ID Moderate
CVE-2019-9328 A-111895000 ID Moderate
CVE-2019-9329 A-112917952 ID Moderate
CVE-2019-9332 A-78286500 ID Moderate
CVE-2019-9333 A-109753657 ID Moderate
CVE-2019-9344 A-120845341 ID Moderate
CVE-2019-9353 A-123024201 ID Moderate
CVE-2019-9354 A-118148142 ID Moderate
CVE-2019-9355 A-115903122 ID Moderate
CVE-2019-9356 A-111699773 ID Moderate
CVE-2019-9360 A-120610663 ID Moderate
CVE-2019-9368 A-79883568 ID Moderate
CVE-2019-9369 A-79995407 ID Moderate
CVE-2019-9381 A-122677612 ID Moderate
CVE-2019-9383 A-120843827 ID Moderate
CVE-2019-9387 A-117569833 ID Moderate
CVE-2019-9388 A-117567437 ID Moderate
CVE-2019-9403 A-113512324 ID Moderate
CVE-2019-9414 A-111893041 ID Moderate
CVE-2019-9427 A-110166350 ID Moderate
CVE-2019-9431 A-109755179 ID Moderate
CVE-2019-9432 A-80546108 ID Moderate
CVE-2019-9434 A-80432895 ID Moderate
CVE-2019-9435 A-80146682 ID Moderate
CVE-2019-9330 A-111214739 ID Moderate
CVE-2019-9331 A-112272279 ID Moderate
CVE-2019-9341 A-111214770 ID Moderate
CVE-2019-9342 A-111214470 ID Moderate
CVE-2019-9343 A-112050983 ID Moderate
CVE-2019-9367 A-112106425 ID Moderate
CVE-2019-9413 A-111935831 ID Moderate
CVE-2019-9417 A-111450079 ID Moderate
CVE-2019-9419 A-111407544 ID Moderate
CVE-2019-9422 A-111214766 ID Moderate
CVE-2019-9279 A-110476382 DoS Moderate
CVE-2019-9285 A-111215315 DoS Moderate
CVE-2019-9286 A-111213909 DoS Moderate
CVE-2019-9311 A-79431031 DoS Moderate
CVE-2019-9327 A-112050583 DoS Moderate
CVE-2019-9462 A-91544774 DoS Moderate
CVE-2019-9389 A-117567058 DoS Moderate
CVE-2019-9390 A-117551475 DoS Moderate
CVE-2019-9393 A-116357965 DoS Moderate
CVE-2019-9394 A-116351796 DoS Moderate
CVE-2019-9395 A-116267405 DoS Moderate
CVE-2019-9396 A-115747155 DoS Moderate
CVE-2019-9397 A-115747410 DoS Moderate
CVE-2019-9398 A-115745406 DoS Moderate
CVE-2019-9400 A-115509589 DoS Moderate
CVE-2019-9401 A-115375248 DoS Moderate
CVE-2019-9402 A-115372550 DoS Moderate
CVE-2019-9404 A-112923309 DoS Moderate
CVE-2019-9425 A-110846194 DoS Moderate
CVE-2019-9430 A-109838296 DoS Moderate

Libxaac

The Android 9 libxaac library was marked as experimental and removed from production Android builds as part of the November 2018 Android Security Bulletin. We would like to acknowledge researchers for their findings.

The issues identified include the following CVE IDs: CVE-2019-2055, CVE-2019-2059, CVE-2019-2060, CVE-2019-2061, CVE-2019-2062, CVE-2019-2063, CVE-2019-2064, CVE-2019-2065, CVE-2019-2066, CVE-2019-2067, CVE-2019-2068, CVE-2019-2069, CVE-2019-2070, CVE-2019-2071, CVE-2019-2072, CVE-2019-2073, CVE-2019-2074, CVE-2019-2075, CVE-2019-2076, CVE-2019-2077, CVE-2019-2078, CVE-2019-2079, CVE-2019-2080, CVE-2019-2081, CVE-2019-2082, CVE-2019-2083, CVE-2019-2084, CVE-2019-2085, CVE-2019-2086, CVE-2019-2087, CVE-2019-2138, CVE-2019-2139, CVE-2019-2140, CVE-2019-2141, CVE-2019-2142, CVE-2019-2143, CVE-2019-2144, CVE-2019-2145, CVE-2019-2146, CVE-2019-2147, CVE-2019-2148, CVE-2019-2149, CVE-2019-2150, CVE-2019-2151, CVE-2019-2152, CVE-2019-2153, CVE-2019-2154, CVE-2019-2155, CVE-2019-2156, CVE-2019-2157, CVE-2019-2158, CVE-2019-2159, CVE-2019-2160, CVE-2019-2161, CVE-2019-2162, CVE-2019-2163, CVE-2019-2164, CVE-2019-2165, CVE-2019-2166, CVE-2019-2167, CVE-2019-2168, CVE-2019-2169, CVE-2019-2170, CVE-2019-2171, CVE-2019-2172, CVE-2019-9261, CVE-2019-9264, CVE-2019-9385, and CVE-2019-9391.

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Android 10, as released on AOSP, has a default security patch level of 2019-09-01. Android devices running Android 10 and with a security patch level of 2019-09-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID

Versions

Version Date Notes
1.0 August 20, 2019 Security Release Notes published.
1.1 August 21, 2019 Minor adjustments to vulnerability tables.
1.2 September 17, 2019 Updated acknowledgements and issue list.