SB2023070534 - Multiple vulnerabilities in Google Android 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023070534

SB2023070534 - Multiple vulnerabilities in Google Android

Published: July 5, 2023 Updated: June 7, 2024

Security Bulletin ID SB2023070534
Severity
High
Patch available
YES
Number of vulnerabilities 43
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 2% High 7% Medium 5% Low 86%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 43 secuirty vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2023-22386)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN HOST. A local application can execute arbitrary code.


2) Integer overflow (CVE-ID: CVE-2023-22667)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.


3) Improper input validation (CVE-ID: CVE-2023-21631)

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to improper input validation in Modem. A remote attacker can manipulate data.


4) Double Free (CVE-ID: CVE-2023-21629)

The vulnerability allows a local attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in Modem. A local attacker can execute arbitrary code.


5) Buffer over-read (CVE-ID: CVE-2023-28542)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN HOST. A local application can execute arbitrary code.


6) Buffer over-read (CVE-ID: CVE-2023-28541)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN Host. A local application can execute arbitrary code.


7) Stack-based buffer overflow (CVE-ID: CVE-2023-24854)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN HOST. A local application can execute arbitrary code.


8) Buffer overflow (CVE-ID: CVE-2023-24851)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in WLAN HOST. A local application can execute arbitrary code.


9) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-22387)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Qualcomm IPC. A local application can execute arbitrary code.


10) Use After Free (CVE-ID: CVE-2023-21672)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.


11) Use-after-free (CVE-ID: CVE-2022-42703)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the mm/rmap.c in the Linux kernel, related to leaf anon_vma double reuse. A local user can trigger a use-after-free error and crash the kernel.


12) Improper input validation (CVE-ID: CVE-2023-20755)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to an integer overflow within keyinstall. A local privileged application can execute arbitrary code.


13) Integer overflow (CVE-ID: CVE-2023-20754)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to an integer overflow within keyinstall. A local privileged application can execute arbitrary code.


14) Input validation error (CVE-ID: CVE-2021-0948)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input within PowerVR-GPU. A local application can execute arbitrary code with elevated privileges.


15) Memory leak (CVE-ID: CVE-2023-26083)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due memory leak. A local application can force the driver to leak memory and gain access to sensitive information.

Note, this vulnerability is being actively exploited in the wild.


16) Use-after-free (CVE-ID: CVE-2023-28147)

The vulnerability allows a local application to escalate privileges on the device.

The vulnerability exists due to a use-after-free error. A malicious application can trigger a use-after-free error and execute arbitrary code on the device.



17) Use-after-free (CVE-ID: CVE-2022-28350)

The vulnerability allows a malicious application to escalate privileges on the device.

The vulnerability exists due to a use-after-free error. A malicious application can trigger a use-after-free error and execute arbitrary code with elevated privileges.


18) Use-after-free (CVE-ID: CVE-2021-29256)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to improper operations on GPU memory. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.


19) Use-after-free (CVE-ID: CVE-2023-25012)

The vulnerability allows an attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the bigben_remove() function in drivers/hid/hid-bigbenff.c. An attacker with physical access to the system can attach a specially crafted USB device to the system and cause a denial of service condition.


20) Use-after-free (CVE-ID: CVE-2023-21255)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input within the binder_transaction_buffer_release() function in Binder subsystem in Android kernel. A local application can trigger a use-after-fee error and execute arbitrary code with elevated privileges.


21) Improper input validation (CVE-ID: CVE-2023-21243)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.


22) Improper input validation (CVE-ID: CVE-2023-21248)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.


23) Improper input validation (CVE-ID: CVE-2023-21250)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.


24) Information exposure (CVE-ID: CVE-2023-21239)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.


25) Information exposure (CVE-ID: CVE-2023-21249)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.


26) Improper input validation (CVE-ID: CVE-2023-21262)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


27) Information exposure (CVE-ID: CVE-2023-21238)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.


28) Improper input validation (CVE-ID: CVE-2023-21254)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


29) Improper input validation (CVE-ID: CVE-2023-21251)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


30) Improper input validation (CVE-ID: CVE-2023-21245)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


31) Improper input validation (CVE-ID: CVE-2023-21145)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


32) Improper input validation (CVE-ID: CVE-2023-21257)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.


33) Improper input validation (CVE-ID: CVE-2023-21240)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the System component. A local application can perform a denial of service (DoS) attack.


34) Information exposure (CVE-ID: CVE-2023-21261)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.


35) Improper input validation (CVE-ID: CVE-2023-21256)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.


36) Improper input validation (CVE-ID: CVE-2023-21247)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.


37) Improper input validation (CVE-ID: CVE-2023-21246)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.


38) Improper input validation (CVE-ID: CVE-2023-21241)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.


39) Input validation error (CVE-ID: CVE-2023-20910)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in Android Wi-Fi component. A local application can pass specially crafted input to the system and perform a denial of service (DoS) attack.


40) Buffer overflow (CVE-ID: CVE-2023-20918)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to a boundary error within Android Framework. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.


41) Improper input validation (CVE-ID: CVE-2023-21087)

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Framework component. A local application can perform a denial of service (DoS) attack.


42) Input validation error (CVE-ID: CVE-2023-20942)

The vulnerability allows a local application to escalate privileges on the system.

The vulnerability exists due to insufficient validation of untrusted input within the Android Framework. A local application can execute arbitrary code with elevated privileges.


43) Integer overflow (CVE-ID: CVE-2023-2136)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.


Remediation

Install update from vendor's website.

References