Login Sign Up

CVE-2023-20963

7.8 HIGH

📋 TL;DR

This vulnerability in Android's WorkSource component involves a parcel mismatch that allows local privilege escalation without requiring user interaction or additional execution privileges. It affects Android devices running versions 11 through 13, enabling attackers to gain elevated system access.

💻 Affected Systems

Products:
  • Android
Versions: Android 11, Android 12, Android 12L, Android 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running affected Android versions are vulnerable by default. No special configuration required for exploitation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with attacker gaining root/system-level privileges, allowing installation of persistent malware, data theft, and full control over the device.

🟠

Likely Case

Local attacker gains elevated privileges to access sensitive data, install malicious apps, or modify system settings without user knowledge.

🟢

If Mitigated

With proper patching and security controls, the vulnerability is eliminated, preventing any privilege escalation attempts.

🌐 Internet-Facing: LOW (Exploitation requires local access to the device, not remote network access)
🏢 Internal Only: HIGH (Attackers with physical or local access to the device can exploit this without user interaction)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no user interaction. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Bulletin March 2023 patches

Vendor Advisory: https://source.android.com/security/bulletin/2023-03-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the March 2023 security patch. 3. Reboot the device after installation.

🔧 Temporary Workarounds

No effective workarounds

all

This is a core Android framework vulnerability requiring patching. No configuration changes or workarounds can mitigate the risk.

🧯 If You Can't Patch

  • Restrict physical access to devices and implement strict device management policies
  • Monitor for suspicious privilege escalation attempts and unusual system behavior

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If version is 11, 12, 12L, or 13 without March 2023 security patches, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android Security Patch Level shows March 2023 or later in Settings > About phone > Android version > Android security update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation events in system logs
  • Suspicious WorkSource component access

Network Indicators:

  • No network indicators as this is a local exploit

SIEM Query:

source="android_system" AND (event_type="privilege_escalation" OR component="WorkSource")

📊 Metadata

CVE ID: CVE-2023-20963
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: March 24, 2023
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20963, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)