SB2023041046 - Multiple vulnerabilities in Google Pixel
Published: April 10, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-26072)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
2) Use After Free (CVE-ID: CVE-2022-33298)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Modem. A local privileged application can execute arbitrary code.
3) Integer overflow (CVE-ID: CVE-2022-33296)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Modem. A local application can read and manipulate data.
4) Incorrect Type Conversion or Cast (Type Conversion) (CVE-ID: CVE-2022-33301)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.
5) Improper input validation (CVE-ID: CVE-2023-26076)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
6) Improper input validation (CVE-ID: CVE-2023-26075)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
7) Improper input validation (CVE-ID: CVE-2023-26074)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
8) Improper input validation (CVE-ID: CVE-2023-26073)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
9) Information exposure (CVE-ID: CVE-2023-29092)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the wfc-pkt-router subcomponent in Pixel. A local application can gain access to sensitive information.
10) Use-after-free (CVE-ID: CVE-2023-0266)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the snd_ctl_elem_read() function in the Linux kernel sound subsystem. A local user can trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
11) Improper input validation (CVE-ID: CVE-2023-29091)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
12) Improper input validation (CVE-ID: CVE-2023-29090)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
13) Improper input validation (CVE-ID: CVE-2023-29089)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
14) Improper input validation (CVE-ID: CVE-2023-29088)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
15) Improper input validation (CVE-ID: CVE-2023-29087)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
16) Improper input validation (CVE-ID: CVE-2023-29086)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
17) Improper input validation (CVE-ID: CVE-2023-29085)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
18) Improper input validation (CVE-ID: CVE-2023-28613)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
Remediation
Install update from vendor's website.