CVE-2023-21120 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-21120?

CVE-2023-21120 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in Android's cdm_engine.cpp that allows local privilege escalation without user interaction. Attackers can exploit improper locking to execute arbitrary code with elevated privileges. This affects Android devices with vulnerable SoC implementations.

📋 TL;DR

This CVE describes a use-after-free vulnerability in Android's cdm_engine.cpp that allows local privilege escalation without user interaction. Attackers can exploit improper locking to execute arbitrary code with elevated privileges. This affects Android devices with vulnerable SoC implementations.

💻 Affected Systems

Products:

Android devices with vulnerable SoC implementations

Versions: Android SoC versions prior to June 2023 security patches

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Specific SoC implementations may vary; check with device manufacturers for exact affected models.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to gain root/system privileges, install persistent malware, access all user data, and bypass security controls.

🟠

Likely Case

Local privilege escalation allowing malicious apps to break out of sandbox, access sensitive data from other apps, and perform unauthorized system operations.

🟢

If Mitigated

Limited impact if devices are patched, have SELinux enforcing mode, and app sandboxing prevents initial access.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the device.

🏢 Internal Only: HIGH - Malicious apps or compromised user sessions can exploit this without additional permissions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access but no user interaction; complexity depends on specific SoC implementation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2023 Android Security Bulletin patches

Vendor Advisory: https://source.android.com/security/bulletin/2023-06-01

Restart Required: Yes

Instructions:

1. Apply June 2023 Android security patches from device manufacturer. 2. Reboot device after patch installation. 3. Verify patch level in Settings > Security > Security update.

🔧 Temporary Workarounds

Disable unnecessary apps

android

Reduce attack surface by disabling unused apps that could be used as initial access vectors

Enable Google Play Protect

android

Ensure Google Play Protect is active to detect potentially malicious apps

🧯 If You Can't Patch

Isolate vulnerable devices from sensitive networks and data
Implement strict app installation policies and only allow trusted sources

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > Security > Security update. If before June 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows June 2023 or later in Settings > Security > Security update.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts in system logs
SELinux denials related to cdm_engine

Network Indicators:

None - this is a local exploit

SIEM Query:

Search for SELinux denials or privilege escalation events from Android devices with pre-June 2023 patch levels

📊 Metadata

CVE ID: CVE-2023-21120

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 15, 2023

Last Updated: November 21, 2024

🔗 References

https://source.android.com/security/bulletin/2023-06-01 Vendor Advisory
https://source.android.com/security/bulletin/2023-06-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21120, you might also want to check these: