CVE-2023-21002 – This vulnerability allows local attackers to by... (How to Fix)

Q: What is the severity of CVE-2023-21002?

CVE-2023-21002 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to bypass permission checks in Android's Transcode Permission Controllers, potentially gaining elevated privileges without user interaction. It affects Android 13 devices, particularly those running vulnerable Pixel builds. The flaw enables privilege escalation from a local context.

📋 TL;DR

This vulnerability allows local attackers to bypass permission checks in Android's Transcode Permission Controllers, potentially gaining elevated privileges without user interaction. It affects Android 13 devices, particularly those running vulnerable Pixel builds. The flaw enables privilege escalation from a local context.

💻 Affected Systems

Products:

Android
Google Pixel devices

Versions: Android 13

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects Pixel devices with vulnerable builds; other Android 13 devices may also be affected depending on manufacturer implementations.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to execute arbitrary code with system privileges, access sensitive data, and persist malware.

🟠

Likely Case

Local privilege escalation allowing unauthorized access to protected system functions and user data.

🟢

If Mitigated

Limited impact with proper patch management and security controls in place.

🌐 Internet-Facing: LOW (requires local access to device)

🏢 Internal Only: HIGH (local attackers can exploit without network access)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to device but no user interaction. Exploitation involves calling vulnerable permission controllers with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2023-03-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install Android Security Patch Level 2023-03-01 or later. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable unnecessary permissions

android

Review and restrict app permissions to minimize attack surface

Enable Google Play Protect

android

Ensure Google's built-in malware protection is active

🧯 If You Can't Patch

Restrict physical access to devices and implement strong device authentication
Monitor for suspicious privilege escalation attempts using Android logging

🔍 How to Verify

Check if Vulnerable:

Check Settings > About phone > Android version and Security patch level. If Android 13 with patch level before 2023-03-01, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Security patch level shows 2023-03-01 or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

Unusual permission requests in system logs
Unexpected calls to Transcode Permission Controllers

Network Indicators:

None (local-only vulnerability)

SIEM Query:

android_logs | where message contains "TranscodePermissionController" and (message contains "permission bypass" or message contains "unauthorized access")

📊 Metadata

CVE ID: CVE-2023-21002

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: March 24, 2023

Last Updated: February 26, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21002, you might also want to check these: