Multiple vulnerabilities in Google Pixel



Risk Low
Patch available YES
Number of vulnerabilities 14
CVE-ID CVE-2023-21400
CVE-2023-35693
CVE-2023-21399
CVE-2023-35691
CVE-2023-35692
CVE-2023-35694
CVE-2023-21641
CVE-2023-21624
CVE-2023-21633
CVE-2023-21635
CVE-2023-21637
CVE-2023-21638
CVE-2023-21639
CVE-2023-21640
CWE-ID CWE-20
CWE-200
CWE-264
CWE-119
CWE-120
CWE-704
Exploitation vector Local
Public exploit N/A
Vulnerable software
Pixel
Mobile applications / Mobile firmware & hardware

Vendor Google

Security Bulletin

This security bulletin contains information about 14 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU77993

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21400

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Kernel io_uring subcomponent in Kernel components. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU77994

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35693

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Incremental File System (IncFS) subcomponent in Kernel components. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU77995

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21399

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the GSC subcomponent in Pixel. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU77996

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35691

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Titan M subcomponent in Pixel. A local application can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU77997

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35692

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Telephony subcomponent in Pixel. A local application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Information exposure

EUVDB-ID: #VU77998

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-35694

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the samsung_slsi subcomponent in Pixel. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU77870

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21641

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local application to read, manipulate or delete data.

The vulnerability exists due to improper input validation in Display. A local application can read, manipulate or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Information exposure

EUVDB-ID: #VU77856

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21624

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation in DSP Services. A local application can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory corruption

EUVDB-ID: #VU77857

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21633

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Linux. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Buffer overflow

EUVDB-ID: #VU77858

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21635

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Data Network Stack & Connectivity. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Memory corruption

EUVDB-ID: #VU77859

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21637

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Linux. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Type conversion

EUVDB-ID: #VU77860

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21638

CWE-ID: CWE-704 - Type conversion

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Video. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU77861

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21639

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Audio. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Buffer overflow

EUVDB-ID: #VU77862

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21640

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Linux. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2023-07-05

CPE2.3 External links

http://source.android.com/docs/security/bulletin/pixel/2023-07-01


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###