Multiple vulnerabilities in Google Pixel

Published: 2024-01-03

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2023-28583 CVE-2023-33038 CVE-2023-33111
CWE-ID	CWE-415 CWE-190 CWE-20
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	Pixel Mobile applications / Mobile firmware & hardware
Vendor	Google

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Double Free

EUVDB-ID: #VU84896

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-28583

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Data Network Stack & Connectivity. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2024-01-05

CPE2.3

cpe:2.3:a:google:pixel:*:*:*:*:*:*:*:*

External links

https:
https://source.android.com/docs/security/bulletin/pixel/2024-01-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU84897

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-33038

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Radio Interface Layer. A local privileged application can execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2024-01-05

CPE2.3

cpe:2.3:a:google:pixel:*:*:*:*:*:*:*:*

External links

https:
https://source.android.com/docs/security/bulletin/pixel/2024-01-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU84966

Risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-33111

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local application to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within the Audio component. A local application bypass implemented security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Pixel: before 2024-01-05

CPE2.3

cpe:2.3:a:google:pixel:*:*:*:*:*:*:*:*

External links

https:
https://source.android.com/docs/security/bulletin/pixel/2024-01-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.