SB2024010340 - Multiple vulnerabilities in Google Android
Published: January 3, 2024 Updated: June 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 58 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-33014)
The vulnerability allows a local attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Services. A local attacker can execute arbitrary code.
2) Buffer overflow (CVE-ID: CVE-2023-28544)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN Firmware. A local application can execute arbitrary code.
3) Improper Validation of Array Index (CVE-ID: CVE-2023-28548)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
4) Improper Validation of Array Index (CVE-ID: CVE-2023-28557)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
5) Improper Validation of Array Index (CVE-ID: CVE-2023-28558)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
6) Buffer overflow (CVE-ID: CVE-2023-28559)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
7) Buffer overflow (CVE-ID: CVE-2023-28560)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
8) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-28564)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
9) Improper Validation of Array Index (CVE-ID: CVE-2023-28565)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
10) Improper Validation of Array Index (CVE-ID: CVE-2023-28567)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
11) Buffer overflow (CVE-ID: CVE-2023-33030)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in HLOS. A local application can execute arbitrary code.
12) NULL Pointer Dereference (CVE-ID: CVE-2023-33036)
The vulnerability allows a local application to crash the entire system.
The vulnerability exists due to improper input validation in Hypervisor. A local application can crash the entire system.
13) Integer overflow (CVE-ID: CVE-2023-33032)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in TZ Secure OS. A local application can execute arbitrary code.
14) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-33033)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
15) Cryptographic Issues (CVE-ID: CVE-2023-33037)
The vulnerability allows a local application to read and manipulate data.
The vulnerability exists due to improper input validation in Automotive. A local application can read and manipulate data.
16) Buffer over-read (CVE-ID: CVE-2023-33040)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.
17) Reachable Assertion (CVE-ID: CVE-2023-33043)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Modem. A remote attacker can perform a denial of service (DoS) attack.
18) Reachable Assertion (CVE-ID: CVE-2023-33044)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can perform a denial of service (DoS) attack.
19) Buffer over-read (CVE-ID: CVE-2023-33062)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
20) NULL Pointer Dereference (CVE-ID: CVE-2023-33109)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
21) Buffer over-read (CVE-ID: CVE-2023-33112)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
22) Loop with Unreachable Exit Condition ('Infinite Loop') (CVE-ID: CVE-2023-43511)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in WLAN Firmware. A remote attacker can perform a denial of service (DoS) attack.
23) Improper Validation of Array Index (CVE-ID: CVE-2022-33275)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in WLAN HAL. A local application can execute arbitrary code.
24) Buffer overflow (CVE-ID: CVE-2023-33025)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in Data Modem. A remote attacker can execute arbitrary code.
25) Use-after-free (CVE-ID: CVE-2023-4295)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by improper GPU memory processing operations. A local user can execute arbitrary code with elevated privileges.
26) Use-after-free (CVE-ID: CVE-2023-5427)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error caused by improper GPU processing operations. A local application can trigger a use-after-free error and execute arbitrary code with elevated privileges.
27) Out-of-bounds write (CVE-ID: CVE-2023-32874)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to a missing bounds check within Modem IMS Stack. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.
28) Out-of-bounds write (CVE-ID: CVE-2023-32872)
The vulnerability allows a local privileged application to execute arbitrary code.
The vulnerability exists due to a missing bounds check within keyInstall. A local privileged application can execute arbitrary code.
29) Type conversion (CVE-ID: CVE-2023-21651)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Core. A local application can execute arbitrary code.
30) Use After Free (CVE-ID: CVE-2023-33094)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Linux Graphics. A local application can execute arbitrary code.
31) Use After Free (CVE-ID: CVE-2023-33108)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Graphics. A local application can execute arbitrary code.
32) Use of Out-of-range Pointer Offset (CVE-ID: CVE-2023-33110)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
33) Buffer overflow (CVE-ID: CVE-2023-33113)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Kernel. A local application can execute arbitrary code.
34) Use After Free (CVE-ID: CVE-2023-33114)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Neural Processing Unit. A local application can execute arbitrary code.
35) Use After Free (CVE-ID: CVE-2023-33117)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
36) Use After Free (CVE-ID: CVE-2023-33120)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in Audio. A local application can execute arbitrary code.
37) Use After Free (CVE-ID: CVE-2023-43514)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation in DSP Services. A local application can execute arbitrary code.
38) Use-after-free (CVE-ID: CVE-2023-21165)
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in PowerVR-GPU DevmemIntUnmapPMR. A local application can execute arbitrary code with elevated privileges.
39) Information exposure (CVE-ID: CVE-2024-0016)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
40) Improper input validation (CVE-ID: CVE-2024-0018)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Media Codecs component. A local application can execute arbitrary code.
41) Improper input validation (CVE-ID: CVE-2024-0015)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
42) Information exposure (CVE-ID: CVE-2023-40085)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
43) Information exposure (CVE-ID: CVE-2024-0017)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
44) Information exposure (CVE-ID: CVE-2024-0020)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the System component. A local application can gain access to sensitive information.
45) Improper input validation (CVE-ID: CVE-2024-0021)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the System component. A local application can execute arbitrary code.
46) Information exposure (CVE-ID: CVE-2024-0019)
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Framework component. A local application can gain access to sensitive information.
47) Improper input validation (CVE-ID: CVE-2024-0023)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
48) Improper input validation (CVE-ID: CVE-2023-21245)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.
49) Out-of-bounds write (CVE-ID: CVE-2023-48340)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to improper input validation within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
50) Out-of-bounds read (CVE-ID: CVE-2023-48341)
The vulnerability allows a remote attacker to access sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds read due to improper input validation within the video decoder in Android. A remote attacker can access sensitive information or perform a denial of service (DoS) attack.
51) Out-of-bounds write (CVE-ID: CVE-2023-48342)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the media service in Android. A remote attacker can perform a denial of service (DoS) attack.
52) Out-of-bounds write (CVE-ID: CVE-2023-48343)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to improper input validation within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
53) Buffer over-read (CVE-ID: CVE-2023-48344)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds read due to improper input validation within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
54) Out-of-bounds write (CVE-ID: CVE-2023-48348)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to improper input validation within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
55) Out-of-bounds write (CVE-ID: CVE-2023-48349)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
56) Out-of-bounds write (CVE-ID: CVE-2023-48350)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
57) Out-of-bounds write (CVE-ID: CVE-2023-48351)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the video decoder in Android. A remote attacker can perform a denial of service (DoS) attack.
58) Out-of-bounds write (CVE-ID: CVE-2023-48352)
The vulnerability allows a local application to execute arbitrary code.
The vulnerability exists due to a possible out of bounds write due to a missing bounds check within the phasecheckserver in Android. A local application can execute arbitrary code.
Remediation
Install update from vendor's website.