Login Sign Up

CVE-2023-20969

4.4 MEDIUM

📋 TL;DR

This CVE describes an out-of-bounds read vulnerability in Android's p2p_iface.cpp that could allow local information disclosure. It affects Android 13 devices and requires System execution privileges for exploitation, with no user interaction needed. The vulnerability could expose sensitive memory contents to local attackers.

💻 Affected Systems

Products:
  • Android
Versions: Android 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices running Android 13. Requires System execution privileges for exploitation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker with System privileges reads arbitrary memory contents, potentially exposing sensitive data like encryption keys, passwords, or other application data.

🟠

Likely Case

Limited information disclosure from adjacent memory locations, potentially exposing some system or application data but not full system compromise.

🟢

If Mitigated

No impact if proper privilege separation is enforced and attackers cannot obtain System execution privileges.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring System privileges, not directly exploitable over the internet.
🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or users who have gained System privileges on the device.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires System execution privileges and knowledge of memory layout. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Bulletin March 2023 patches

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the March 2023 security update. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Restrict System Privileges

android

Limit which apps and users can obtain System execution privileges through Android's permission system

🧯 If You Can't Patch

  • Implement strict app vetting and only install apps from trusted sources
  • Use Android's Work Profile or containerization to isolate potentially malicious apps

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If it shows Android 13 without March 2023 security patches, the device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify the security patch level in Settings > About phone > Android version. It should show 'Security patch level: March 5, 2023' or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory access patterns in system logs
  • Processes attempting to access privileged memory regions

Network Indicators:

  • No network indicators - this is a local vulnerability

SIEM Query:

No specific SIEM query as this is a local memory corruption issue

📊 Metadata

CVE ID: CVE-2023-20969
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: March 24, 2023
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20969, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)