SB2023070536 - Multiple vulnerabilities in Google Pixel

Security Bulletin ID SB2023070536

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 14

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 14 vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2023-21400)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Kernel io_uring subcomponent in Kernel components. A local application can execute arbitrary code.

2) Improper input validation (CVE-ID: CVE-2023-35693)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Incremental File System (IncFS) subcomponent in Kernel components. A local application can execute arbitrary code.

3) Improper input validation (CVE-ID: CVE-2023-21399)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the GSC subcomponent in Pixel. A local application can execute arbitrary code.

4) Improper input validation (CVE-ID: CVE-2023-35691)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Titan M subcomponent in Pixel. A local application can perform a denial of service (DoS) attack.

5) Improper input validation (CVE-ID: CVE-2023-35692)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Telephony subcomponent in Pixel. A local application can execute arbitrary code.

6) Information exposure (CVE-ID: CVE-2023-35694)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the samsung_slsi subcomponent in Pixel. A local application can gain access to sensitive information.

7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-21641)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to read, manipulate or delete data.

The vulnerability exists due to improper input validation in Display. A local application can read, manipulate or delete data.

8) Information exposure (CVE-ID: CVE-2023-21624)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation in DSP Services. A local application can gain access to sensitive information.

9) Memory corruption (CVE-ID: CVE-2023-21633)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear