CVE-2023-21048 – This CVE describes an out-of-bounds read vulner... (How to Fix)

Q: What is the severity of CVE-2023-21048?

CVE-2023-21048 has a CVSS score of 4.4 (MEDIUM). This CVE describes an out-of-bounds read vulnerability in the Android kernel's nan.cpp component. It could allow local information disclosure to attackers with system execution privileges, requiring no user interaction. Affected systems include Android devices with vulnerable kernel versions.

📋 TL;DR

This CVE describes an out-of-bounds read vulnerability in the Android kernel's nan.cpp component. It could allow local information disclosure to attackers with system execution privileges, requiring no user interaction. Affected systems include Android devices with vulnerable kernel versions.

💻 Affected Systems

Products:

Android

Versions: Android kernel versions prior to March 2023 security patches

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Requires system execution privileges for exploitation. Pixel devices specifically mentioned in references.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker with system privileges could read sensitive kernel memory, potentially exposing cryptographic keys, passwords, or other protected data.

🟠

Likely Case

Limited information disclosure from kernel memory to a malicious app with elevated privileges.

🟢

If Mitigated

No impact if proper privilege separation and kernel hardening are implemented.

🌐 Internet-Facing: LOW - Requires local access and system privileges.

🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or compromised devices within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires system privileges and knowledge of kernel memory layout. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2023 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Apply March 2023 or later security patch. 3. Reboot device after update completes.

🔧 Temporary Workarounds

Restrict system privileges

android

Limit apps with system execution privileges using SELinux policies and app permissions.

adb shell setenforce 1
adb shell getenforce

🧯 If You Can't Patch

Implement strict app vetting and permission controls to prevent malicious apps from obtaining system privileges.
Use Android Enterprise or MDM solutions to enforce security policies and isolate vulnerable devices.

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If before March 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows March 2023 or later after update.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
SELinux denials related to nan.cpp
Abnormal memory access patterns in kernel logs

Network Indicators:

None - local vulnerability only

SIEM Query:

source="android_kernel" AND ("nan.cpp" OR "out of bounds read")

📊 Metadata

CVE ID: CVE-2023-21048

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: March 24, 2023

Last Updated: February 24, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21048, you might also want to check these: