Android 10 Security Release Notes

Published August 20, 2019 | Updated January 27, 2021

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 10. Android 10 devices with a security level of 2019-09-01 or later are protected against these issues (Android 10, as released on AOSP, has a default security level of 2019-09-01). To learn how to check a device's security level, see How to check and update your Android version.

Android partners are notified of all issues prior to publication. Source code es for these issues are released to the Android Open Source Project (AOSP) repository as part of the Android 10 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 10. This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 10—Vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 10. Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVEReferencesTypeSeverity
CVE-2019-9290A-113039724EoPModerate
CVE-2019-9429A-110035108EoPModerate

Framework

CVEReferencesTypeSeverity
CVE-2019-9262A-111792351RCEModerate
CVE-2019-9256A-111921829RCEModerate
CVE-2019-9280A-119322269EoPModerate
CVE-2019-2216A-38390530EoPModerate
CVE-2019-2089A-116608833EoPModerate
CVE-2019-9288A-111363077EoPModerate
CVE-2019-9384A-120568007EoPModerate
CVE-2019-9269A-36899497EoPModerate
CVE-2019-9378A-124539196EoPModerate
CVE-2019-9380A-123700098EoPModerate
CVE-2019-9407A-112434609EoPModerate
CVE-2019-2088A-143895055IDModerate
CVE-2019-2058A-136089102IDModerate
CVE-2019-9351A-128599864IDModerate
CVE-2019-9281A-32748076IDModerate
CVE-2019-9377A-128599663IDModerate
CVE-2019-9292A-115384617IDModerate
CVE-2019-9424A-110941092IDModerate
CVE-2019-9399A-115635664IDModerate
CVE-2019-9421A-111215250IDModerate
CVE-2019-9323A-30770233IDModerate
CVE-2019-9438A-77821568IDModerate
CVE-2019-9373A-130173029DoSModerate
CVE-2019-9372A-132782448DoSModerate

Library

CVEReferencesTypeSeverity
CVE-2019-9423A-110986616EoPModerate
CVE-2019-9459A-79593569EoPModerate

Media framework

CVEReferencesTypeSeverity
CVE-2019-9297A-112890242RCEModerate
CVE-2019-9298A-112892194RCEModerate
CVE-2019-9299A-112663886RCEModerate
CVE-2019-9300A-112661610RCEModerate
CVE-2019-9301A-112663384RCEModerate
CVE-2019-9302A-112661356RCEModerate
CVE-2019-9303A-112661057RCEModerate
CVE-2019-9304A-112662270RCEModerate
CVE-2019-9305A-112661835RCEModerate
CVE-2019-9306A-112661348RCEModerate
CVE-2019-9307A-112661893RCEModerate
CVE-2019-9308A-112661742RCEModerate
CVE-2019-9346A-128433933RCEModerate
CVE-2019-9357A-112662995RCEModerate
CVE-2019-9382A-120874654RCEModerate
CVE-2019-9405A-112890225RCEModerate
CVE-2019-9278A-112537774RCEModerate
CVE-2020-0086A-131859347EoPModerate
CVE-2019-9310A-112891546EoPModerate
CVE-2019-9232A-122675483IDModerate
CVE-2019-9247A-120426166IDModerate
CVE-2019-9282A-113211371IDModerate
CVE-2019-9293A-117661116IDModerate
CVE-2019-9294A-111764444IDModerate
CVE-2019-9313A-112005441IDModerate
CVE-2019-9314A-112329563IDModerate
CVE-2019-9315A-112326216IDModerate
CVE-2019-9316A-112052432IDModerate
CVE-2019-9317A-112052258IDModerate
CVE-2019-9318A-111764725IDModerate
CVE-2019-9319A-111762100IDModerate
CVE-2019-9320A-111761624IDModerate
CVE-2019-9321A-111208713IDModerate
CVE-2019-9322A-111128067IDModerate
CVE-2019-9325A-112001302IDModerate
CVE-2019-9334A-112859934IDModerate
CVE-2019-9335A-112328051IDModerate
CVE-2019-9336A-112326322IDModerate
CVE-2019-9337A-112204376IDModerate
CVE-2019-9338A-111762686IDModerate
CVE-2019-9347A-109891727IDModerate
CVE-2019-9359A-111407302IDModerate
CVE-2019-9361A-111762807IDModerate
CVE-2019-9362A-120426980IDModerate
CVE-2019-9364A-73364631IDModerate
CVE-2019-9366A-112052062IDModerate
CVE-2019-9370A-133880046IDModerate
CVE-2019-9406A-112552517IDModerate
CVE-2019-9408A-112380157IDModerate
CVE-2019-9409A-112272091IDModerate
CVE-2019-9410A-112204443IDModerate
CVE-2019-9411A-112204845IDModerate
CVE-2019-9412A-112006096IDModerate
CVE-2019-9415A-111805098IDModerate
CVE-2019-9416A-111804142IDModerate
CVE-2019-9433A-80479354IDModerate
CVE-2019-9252A-73339042IDModerate
CVE-2019-9268A-77474014DoSModerate
CVE-2020-0088A-124389881DoSModerate
CVE-2019-9283A-112663564DoSModerate
CVE-2019-9348A-128431761DoSModerate
CVE-2019-9349A-124330204DoSModerate
CVE-2019-9352A-124253062DoSModerate
CVE-2019-9371A-132783254DoSModerate
CVE-2019-9379A-124329638DoSModerate
CVE-2019-9418A-111450210DoSModerate
CVE-2019-9420A-111272481DoSModerate

System

CVEReferencesTypeSeverity
CVE-2019-9475A-9496886IDHigh
CVE-2019-9363A-123584306RCEModerate
CVE-2019-9365A-109838537RCEModerate
CVE-2018-9425A-73884967EoPModerate
CVE-2019-9463A-113584607EoPModerate
CVE-2019-9291A-112159179EoPModerate
CVE-2019-9386A-122361874EoPModerate
CVE-2019-9375A-129344244EoPModerate
CVE-2019-9238A-121267042EoPModerate
CVE-2019-9257A-113572342EoPModerate
CVE-2019-9258A-113655028EoPModerate
CVE-2019-9259A-113575306EoPModerate
CVE-2019-9263A-73136824EoPModerate
CVE-2019-9266A-119501435EoPModerate
CVE-2019-9295A-36885811EoPModerate
CVE-2019-9309A-117985575EoPModerate
CVE-2019-9350A-129562815EoPModerate
CVE-2019-9358A-120156401EoPModerate
CVE-2018-9489A-77286245IDModerate
CVE-2019-9473A-115363533IDModerate
CVE-2019-9474A-79996267IDModerate
CVE-2019-9440A-37637796IDModerate
CVE-2019-9277A-68016944IDModerate
CVE-2019-9233A-122529021IDModerate
CVE-2019-9234A-122465453IDModerate
CVE-2019-9235A-122323053IDModerate
CVE-2019-9236A-122322613IDModerate
CVE-2019-9237A-121325979IDModerate
CVE-2019-9239A-121263487IDModerate
CVE-2019-9240A-121150966IDModerate
CVE-2019-9241A-121036603IDModerate
CVE-2019-9242A-121035878IDModerate
CVE-2019-9243A-120905706IDModerate
CVE-2019-9244A-120865977IDModerate
CVE-2019-9246A-120428637IDModerate
CVE-2019-9249A-120255805IDModerate
CVE-2019-9250A-120276962IDModerate
CVE-2019-9251A-120274615IDModerate
CVE-2019-9253A-109769728IDModerate
CVE-2019-9260A-113495295IDModerate
CVE-2019-9265A-37994606IDModerate
CVE-2019-9272A-11596047IDModerate
CVE-2019-9284A-111850706IDModerate
CVE-2019-9287A-78287084IDModerate
CVE-2019-9289A-79883824IDModerate
CVE-2018-9581A-111698366IDModerate
CVE-2019-9296A-112162089IDModerate
CVE-2019-9312A-78288018IDModerate
CVE-2019-9326A-111215173IDModerate
CVE-2019-9328A-111895000IDModerate
CVE-2019-9329A-112917952IDModerate
CVE-2019-9332A-78286500IDModerate
CVE-2019-9333A-109753657IDModerate
CVE-2019-9344A-120845341IDModerate
CVE-2019-9353A-123024201IDModerate
CVE-2019-9354A-118148142IDModerate
CVE-2019-9355A-115903122IDModerate
CVE-2019-9356A-111699773IDModerate
CVE-2019-9360A-120610663IDModerate
CVE-2019-9368A-79883568IDModerate
CVE-2019-9369A-79995407IDModerate
CVE-2019-9381A-122677612IDModerate
CVE-2019-9383A-120843827IDModerate
CVE-2019-9387A-117569833IDModerate
CVE-2019-9388A-117567437IDModerate
CVE-2019-9403A-113512324IDModerate
CVE-2019-9414A-111893041IDModerate
CVE-2019-9427A-110166350IDModerate
CVE-2019-9431A-109755179IDModerate
CVE-2019-9432A-80546108IDModerate
CVE-2019-9434A-80432895IDModerate
CVE-2019-9435A-80146682IDModerate
CVE-2019-9330A-111214739IDModerate
CVE-2019-9331A-112272279IDModerate
CVE-2019-9341A-111214770IDModerate
CVE-2019-9342A-111214470IDModerate
CVE-2019-9343A-112050983IDModerate
CVE-2019-9367A-112106425IDModerate
CVE-2019-9413A-111935831IDModerate
CVE-2019-9417A-111450079IDModerate
CVE-2019-9419A-111407544IDModerate
CVE-2019-9422A-111214766IDModerate
CVE-2020-0236A-79703353IDModerate
CVE-2019-9279A-110476382DoSModerate
CVE-2019-9285A-111215315DoSModerate
CVE-2019-9286A-111213909DoSModerate
CVE-2019-9311A-79431031DoSModerate
CVE-2019-9327A-112050583DoSModerate
CVE-2019-9462A-91544774DoSModerate
CVE-2019-9389A-117567058DoSModerate
CVE-2019-9390A-117551475DoSModerate
CVE-2019-9393A-116357965DoSModerate
CVE-2019-9394A-116351796DoSModerate
CVE-2019-9395A-116267405DoSModerate
CVE-2019-9396A-115747155DoSModerate
CVE-2019-9397A-115747410DoSModerate
CVE-2019-9398A-115745406DoSModerate
CVE-2019-9400A-115509589DoSModerate
CVE-2019-9401A-115375248DoSModerate
CVE-2019-9402A-115372550DoSModerate
CVE-2019-9404A-112923309DoSModerate
CVE-2019-9425A-110846194DoSModerate
CVE-2019-9430A-109838296DoSModerate

Libxaac

The Android 9 libxaac library was marked as experimental and removed from production Android builds as part of the November 2018 Android Security Bulletin. We would like to acknowledge researchers for their findings.

The issues identified include the following CVE IDs: CVE-2019-2055, CVE-2019-2059, CVE-2019-2060, CVE-2019-2061, CVE-2019-2062, CVE-2019-2063, CVE-2019-2064, CVE-2019-2065, CVE-2019-2066, CVE-2019-2067, CVE-2019-2068, CVE-2019-2069, CVE-2019-2070, CVE-2019-2071, CVE-2019-2072, CVE-2019-2073, CVE-2019-2074, CVE-2019-2075, CVE-2019-2076, CVE-2019-2077, CVE-2019-2078, CVE-2019-2079, CVE-2019-2080, CVE-2019-2081, CVE-2019-2082, CVE-2019-2083, CVE-2019-2084, CVE-2019-2085, CVE-2019-2086, CVE-2019-2087, CVE-2019-2138, CVE-2019-2139, CVE-2019-2140, CVE-2019-2141, CVE-2019-2142, CVE-2019-2143, CVE-2019-2144, CVE-2019-2145, CVE-2019-2146, CVE-2019-2147, CVE-2019-2148, CVE-2019-2149, CVE-2019-2150, CVE-2019-2151, CVE-2019-2152, CVE-2019-2153, CVE-2019-2154, CVE-2019-2155, CVE-2019-2156, CVE-2019-2157, CVE-2019-2158, CVE-2019-2159, CVE-2019-2160, CVE-2019-2161, CVE-2019-2162, CVE-2019-2163, CVE-2019-2164, CVE-2019-2165, CVE-2019-2166, CVE-2019-2167, CVE-2019-2168, CVE-2019-2169, CVE-2019-2170, CVE-2019-2171, CVE-2019-2172, CVE-2019-9261, CVE-2019-9264, CVE-2019-9385, and CVE-2019-9391.

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security level, see Check and update your Android version.

Android 10, as released on AOSP, has a default security level of 2019-09-01. Android devices running Android 10 and with a security level of 2019-09-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?
Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

AbbreviationDefinition
RCERemote code execution
EoPElevation of privilege
IDInformation disclosure
DoSDenial of service
N/AClassification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

PrefixReference
A-Android bug ID

Versions

VersionDateNotes
1.0August 20, 2019Security Release Notes published.
1.1August 21, 2019Minor adjustments to vulnerability tables
1.2September 17, 2019Updated acknowledgements and issue list
1.3November 21, 2019Updated issue list
1.4February 12, 2020Updated issue list
1.5February 26, 2020Updated issue list
1.6May 11, 2020Updated issue list
1.7June 11, 2020Updated issue list
1.8January 27, 2021Updated issue list