Login Sign Up

CVE-2023-21124

7.8 HIGH
Deserialization

📋 TL;DR

This vulnerability allows local privilege escalation on Android devices through unsafe deserialization in the 'run of multiple files' component. Attackers can exploit this without user interaction to gain elevated privileges. Affects Android 11, 12, 12L, and 13.

💻 Affected Systems

Products:
  • Android
Versions: Android 11, 12, 12L, 13
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running affected Android versions are vulnerable by default. No special configuration required.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to execute arbitrary code with system privileges, access sensitive data, and persist on the device.

🟠

Likely Case

Local attacker gains elevated privileges to access protected system resources, install malicious apps, or modify system settings.

🟢

If Mitigated

Limited impact with proper security updates applied and device security features enabled.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with physical access can exploit this to gain system privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access to the device. No user interaction needed once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2023 Android Security Bulletin updates

Vendor Advisory: https://source.android.com/security/bulletin/2023-06-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the June 2023 security patch. 3. Restart device after installation.

🔧 Temporary Workarounds

Disable unknown sources

android

Prevent installation of apps from unknown sources to reduce attack surface

Settings > Security > Install unknown apps > Disable for all apps

Enable Google Play Protect

android

Enable scanning for harmful apps

Settings > Security > Google Play Protect > Scan device for security threats

🧯 If You Can't Patch

  • Restrict physical access to devices and implement strict app installation policies
  • Monitor for suspicious app behavior and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If version is 11, 12, 12L, or 13 without June 2023 security patch, device is vulnerable.

Check Version:

Settings > About phone > Android version and Security patch level

Verify Fix Applied:

Verify Android version and security patch level in Settings > About phone. Look for 'Android security patch level: June 5, 2023' or later.

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Suspicious deserialization events

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable - local device vulnerability without network indicators

📊 Metadata

CVE ID: CVE-2023-21124
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: June 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21124, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)