CVE-2023-21282 — Out-of-bounds Write in External AAC

CWE-787 — Out-of-bounds Write4 documents4 sources

Severity

8.8HIGHNVD

EPSS

1.3%

top 20.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform External AAC Google Android

Timeline

PublishedAug 14

Latest updateAug 15

Description

In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Androidplatform/external_aac13-next:0 — 13-next:2023-08-01+4

▶CVEListV5google/android4 versions+3

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

Patches

Patch: android.googlesource.com ↗Patch: source.android.com ↗Patch: android.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-vpr2-2qww-hp7j: In TRANSPOSER_SETTINGS of lpp_tran↗2023-08-15

▶

OSV

CVE-2023-21282: In TRANSPOSER_SETTINGS of lpp_tran↗2023-08-01

▶

📋Vendor Advisories

Android

CVE-2023-21282: Android Security Bulletin 2023-08-01 CVE: CVE-2023-21282 Severity: CRITICAL Type: RCE Affected AOSP versions: 11, 12, 12L, 13 References: A-279766766↗2023-08-01

▶