CVE-2023-21053 – This vulnerability allows remote attackers to r... (How to Fix)

Q: What is the severity of CVE-2023-21053?

CVE-2023-21053 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to read memory beyond intended boundaries in Android's cell broadcast message processing. It could disclose sensitive information without user interaction. Affects Android devices with vulnerable kernel versions.

📋 TL;DR

This vulnerability allows remote attackers to read memory beyond intended boundaries in Android's cell broadcast message processing. It could disclose sensitive information without user interaction. Affects Android devices with vulnerable kernel versions.

💻 Affected Systems

Products:

Android

Versions: Android kernel versions before March 2023 security patch

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices receiving cell broadcast messages; requires vulnerable kernel build.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker could read kernel memory, potentially exposing sensitive data like encryption keys, passwords, or other device information.

🟠

Likely Case

Information disclosure of limited memory contents, possibly revealing device state or configuration data.

🟢

If Mitigated

No impact if patched; unpatched devices remain vulnerable to information disclosure.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted cell broadcast messages; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2023 Android security patch level

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-03-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install March 2023 Android security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable cell broadcast messages

android

Prevent processing of cell broadcast messages that could trigger the vulnerability

🧯 If You Can't Patch

Segment vulnerable devices from untrusted networks
Monitor for unusual cell broadcast traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If before March 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows March 2023 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
SMS/cell broadcast processing errors in system logs

Network Indicators:

Unusual cell broadcast traffic patterns
SMS/CB messages from unexpected sources

SIEM Query:

source="android_system" AND ("sms_ExtractCbLanguage" OR "cell broadcast" OR "CVE-2023-21053")

📊 Metadata

CVE ID: CVE-2023-21053

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: March 24, 2023

Last Updated: February 21, 2025

🔗 References

https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory
https://source.android.com/security/bulletin/pixel/2023-03-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21053, you might also want to check these: