CVE-2023-21026 – This Android vulnerability allows an attacker t... (How to Fix)

Q: What is the severity of CVE-2023-21026?

CVE-2023-21026 has a CVSS score of 5.5 (MEDIUM). This Android vulnerability allows an attacker to set a touchable region beyond its own SurfaceControl due to a logic error in WindowManagerService. This could lead to local denial of service without requiring user interaction or elevated privileges. Only Android 13 devices are affected.

📋 TL;DR

This Android vulnerability allows an attacker to set a touchable region beyond its own SurfaceControl due to a logic error in WindowManagerService. This could lead to local denial of service without requiring user interaction or elevated privileges. Only Android 13 devices are affected.

💻 Affected Systems

Products:

Android

Versions: Android 13 only

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: All Android 13 devices are vulnerable by default; requires March 2023 or later security patches to fix.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial of service affecting touch functionality on the device, potentially requiring reboot to restore normal operation.

🟠

Likely Case

Temporary disruption of touch input in specific applications or system areas until the affected process is terminated.

🟢

If Mitigated

Minimal impact with proper patching; isolated application crashes without system-wide effects.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or app-based access to the device.

🏢 Internal Only: MEDIUM - Malicious apps could exploit this to disrupt device functionality, but requires local installation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious app to be installed on the device; no user interaction needed once installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level March 2023 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install March 2023 or later Android security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Restrict app installations

android

Only install apps from trusted sources like Google Play Store to reduce risk of malicious apps.

Disable unknown sources

android

Prevent installation of apps from unknown sources in device settings.

🧯 If You Can't Patch

Monitor for suspicious app behavior and uninstall any apps causing touch input issues.
Implement mobile device management (MDM) to control app installations and monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check Android version and security patch level in Settings > About phone > Android version.

Check Version:

Settings navigation only; no command line access on standard Android devices.

Verify Fix Applied:

Verify security patch level shows March 2023 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

WindowManagerService errors related to touchable regions
Application crashes with SurfaceControl exceptions

Network Indicators:

No network indicators - this is a local vulnerability

SIEM Query:

No standard SIEM query - monitor Android device logs for WindowManagerService errors

📊 Metadata

CVE ID: CVE-2023-21026

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-703

Published: March 24, 2023

Last Updated: February 25, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2023-03-01 Patch,Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-03-01 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21026, you might also want to check these: