CVE-2023-21138 — Improper Input Validation in Google Android

CWE-20 — Improper Input Validation CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 98.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Packages Services Telecomm Google Android

Timeline

PublishedJun 15

Description

In onNullBinding of CallRedirectionProcessor.java, there is a possible long lived connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-273260090

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5google/androidAndroid-11 Android-12 Android-12L Android-13

▶NVDgoogle/android4 versions+3

▶Androidplatform/packages_services_telecomm13-next:0 — 13-next:2023-06-01+4

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

CVEList

CVE-2023-21138: In onNullBinding of CallRedirectionProcessor↗2023-06-15

▶

GHSA

GHSA-944w-cmcw-jwwf: In onNullBinding of CallRedirectionProcessor↗2023-06-15

▶

OSV

CVE-2023-21138: In onNullBinding of CallRedirectionProcessor↗2023-06-01

▶

📋Vendor Advisories

Android

CVE-2023-21138: Android Security Bulletin 2023-06-01 CVE: CVE-2023-21138 Severity: HIGH Type: EoP Affected AOSP versions: 11, 12, 12L, 13 References: A-273260090↗2023-06-01

▶