Login Sign Up

CVE-2023-21085

8.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a critical out-of-bounds write vulnerability in Android's NFC implementation that allows remote code execution without user interaction. Attackers within proximity can exploit this to execute arbitrary code on affected devices. All Android devices running versions 11 through 13 are vulnerable.

💻 Affected Systems

Products:
  • Android
Versions: Android 11, 12, 12L, 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All devices with NFC capability are vulnerable when NFC is enabled. Requires attacker proximity or adjacent network access.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, steal sensitive data, or join devices to botnets.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to device resources and user data.

🟢

If Mitigated

Limited impact if devices are patched, NFC is disabled, or proper network segmentation prevents attacker proximity.

🌐 Internet-Facing: LOW - Requires physical proximity or adjacent network access, not directly exploitable over internet.
🏢 Internal Only: HIGH - Attackers within physical proximity (office, public spaces) or on same network can exploit without authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires proximity to target device or access to adjacent network. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2023 Android Security Bulletin

Vendor Advisory: https://source.android.com/security/bulletin/2023-04-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install April 2023 security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable NFC

android

Temporarily disable NFC functionality to prevent exploitation

Settings > Connected devices > Connection preferences > NFC > Toggle OFF

🧯 If You Can't Patch

  • Disable NFC functionality on all affected devices
  • Implement network segmentation to limit attacker proximity access

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If version is 11, 12, 12L, or 13 without April 2023 patch, device is vulnerable.

Check Version:

Settings > About phone > Android version

Verify Fix Applied:

Verify Android Security Patch Level shows 'April 5, 2023' or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual NFC activity logs
  • Crash reports from nci_hmsgs.cc or NFC services

Network Indicators:

  • Unexpected NFC communication attempts
  • Abnormal Bluetooth or WiFi proximity activity

SIEM Query:

source="android_logs" AND (process="NFC" OR message="*nci_*") AND (severity="ERROR" OR severity="CRITICAL")

📊 Metadata

CVE ID: CVE-2023-21085
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: April 19, 2023
Last Updated: February 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21085, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)