Login Sign Up

CVE-2023-21032

4.4 MEDIUM

📋 TL;DR

This CVE describes a heap buffer overflow vulnerability in Android's Flattened Device Tree (FDT) implementation that could allow local information disclosure. The vulnerability requires System execution privileges to exploit and affects Android 13 devices. No user interaction is needed for exploitation.

💻 Affected Systems

Products:
  • Android
Versions: Android 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices running Android 13. Requires System execution privileges for exploitation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with System privileges could read sensitive kernel memory, potentially exposing cryptographic keys, passwords, or other protected data.

🟠

Likely Case

Local information disclosure of kernel memory contents to privileged processes, potentially enabling further exploitation.

🟢

If Mitigated

Minimal impact if proper privilege separation and SELinux policies are enforced to restrict System privilege access.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring System privileges, not directly exploitable over the network.
🏢 Internal Only: MEDIUM - While it requires System privileges, local attackers or malicious apps with elevated permissions could exploit this for information disclosure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires System privileges and understanding of Android's FDT implementation. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level 2023-03-01 or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install the March 2023 security patch or later. 3. Reboot the device after installation.

🔧 Temporary Workarounds

Restrict System Privileges

android

Implement strict SELinux policies to limit which processes can obtain System execution privileges.

🧯 If You Can't Patch

  • Implement strict application sandboxing and privilege separation to minimize attack surface
  • Monitor for suspicious privilege escalation attempts and kernel memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check Android version: Settings > About phone > Android version. If it shows Android 13 without March 2023 security patch, the device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify the security patch level: Settings > About phone > Android version > Android security update. Should show 'March 5, 2023' or later.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs related to ufdt_convert.c
  • SELinux denials for System privilege escalation attempts
  • Abnormal memory access patterns in kernel logs

Network Indicators:

  • No network indicators - this is a local vulnerability

SIEM Query:

source="android_kernel" AND ("ufdt_convert" OR "CVE-2023-21032" OR "A-248085351")

📊 Metadata

CVE ID: CVE-2023-21032
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: March 24, 2023
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21032, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)