Login Sign Up

CVE-2023-21019

5.5 MEDIUM

📋 TL;DR

This CVE describes a heap buffer overflow vulnerability in Android's H.264 video encoder that allows local information disclosure without user interaction. Attackers can exploit this to read memory contents they shouldn't access, potentially exposing sensitive data. Only Android 13 devices with the vulnerable video encoder component are affected.

💻 Affected Systems

Products:
  • Android
Versions: Android 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices using the specific H.264 video encoder component. Pixel devices are confirmed affected per the bulletin.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive memory contents from the video encoder process, potentially exposing cryptographic keys, authentication tokens, or other application data.

🟠

Likely Case

Local information disclosure where an attacker with app-level access can read limited memory contents from the video encoder process.

🟢

If Mitigated

With proper sandboxing and SELinux policies, the impact is limited to the video encoder process memory space only.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring app-level access to the device.
🏢 Internal Only: MEDIUM - Malicious apps or compromised user sessions could exploit this to gather information from the device.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local app access and knowledge of heap manipulation techniques. No user interaction needed once app is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Update March 2023 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Go to Settings > System > System update. 2. Check for updates. 3. Install the March 2023 Android security update. 4. Restart device after installation.

🔧 Temporary Workarounds

Disable H.264 video encoding

android

Prevent apps from using H.264 video encoding which triggers the vulnerable code path

🧯 If You Can't Patch

  • Restrict app installations to trusted sources only from Google Play Store
  • Implement strict app permission controls and review app behavior regularly

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If it shows Android 13 without March 2023 security patch, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android version is 13 with security patch level March 5, 2023 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Kernel logs showing memory access violations in video encoder process
  • App crashes when using H.264 video encoding features

SIEM Query:

source="android_logs" AND (process="media.codec" OR process="media.extractor") AND (message="segmentation fault" OR message="SIGSEGV")

📊 Metadata

CVE ID: CVE-2023-21019
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: March 24, 2023
Last Updated: February 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21019, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)