https://www.bleepingcomputer.com/news/security/google-fixes-two-critical-android-code-execution-vulnerabilities/

Two critical remote code execution (RCE) and nine high severity elevation of privileges (EoP) and information disclosure (ID) vulnerabilities were fixed by Google in the Android Open Source Project (AOSP) as part of security patch level 2019-04-01.

The security issues tracked as CVE-2019-2027 and CVE-2019-2028 as part of the 2019-04-01 security patch level are critical vulnerabilities impacting the Media framework which could allow potential remote attackers to make use of specially crafted files "to execute arbitrary code within the context of a privileged process."