Multiple vulnerabilities in Google Pixel



Risk High
Patch available YES
Number of vulnerabilities 18
CVE-ID CVE-2023-26072
CVE-2022-33298
CVE-2022-33296
CVE-2022-33301
CVE-2023-26076
CVE-2023-26075
CVE-2023-26074
CVE-2023-26073
CVE-2023-29092
CVE-2023-0266
CVE-2023-29091
CVE-2023-29090
CVE-2023-29089
CVE-2023-29088
CVE-2023-29087
CVE-2023-29086
CVE-2023-29085
CVE-2023-28613
CWE-ID CWE-20
CWE-416
CWE-190
CWE-704
CWE-200
Exploitation vector Network
Public exploit Vulnerability #10 is being exploited in the wild.
Vulnerable software
Pixel
Mobile applications / Mobile firmware & hardware

Vendor Google

Security Bulletin

This security bulletin contains information about 18 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU74782

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26072

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use After Free

EUVDB-ID: #VU74330

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33298

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Modem. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Integer overflow

EUVDB-ID: #VU74328

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33296

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local application to read and manipulate data.

The vulnerability exists due to improper input validation in Modem. A local application can read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect Type Conversion or Cast (Type Conversion)

EUVDB-ID: #VU74333

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-33301

CWE-ID: CWE-704 - Type conversion

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU74786

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26076

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU74785

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26075

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper input validation

EUVDB-ID: #VU74784

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26074

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU74783

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-26073

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Information exposure

EUVDB-ID: #VU74781

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29092

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the wfc-pkt-router subcomponent in Pixel. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Use-after-free

EUVDB-ID: #VU71482

Risk: High

CVSSv3.1: 8.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-0266

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the snd_ctl_elem_read() function in the Linux kernel sound subsystem. A local user can trigger a use-after-free error and execute arbitrary code on the system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

11) Improper input validation

EUVDB-ID: #VU74780

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29091

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU74779

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29090

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper input validation

EUVDB-ID: #VU74778

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29089

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improper input validation

EUVDB-ID: #VU74777

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29088

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper input validation

EUVDB-ID: #VU74776

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29087

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper input validation

EUVDB-ID: #VU74775

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29086

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper input validation

EUVDB-ID: #VU74774

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29085

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Improper input validation

EUVDB-ID: #VU74773

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28613

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the modem subcomponent in Pixel. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-04-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-04-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###