Login Sign Up

CVE-2023-21147

7.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Android kernel's I2C device driver that allows local privilege escalation without user interaction. Attackers can exploit this logic error to gain elevated system privileges on affected Android devices. Only Android devices with specific kernel versions are impacted.

💻 Affected Systems

Products:
  • Android
Versions: Android kernel versions prior to June 2023 security patches
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects devices using the vulnerable lwis_i2c_device_disable function in the kernel. Pixel devices are confirmed affected per the bulletin.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to execute arbitrary code with kernel privileges, install persistent malware, access all user data, and bypass all security controls.

🟠

Likely Case

Local privilege escalation allowing malicious apps to break out of sandbox and gain system-level access to sensitive resources and other apps' data.

🟢

If Mitigated

Limited impact if devices are patched, have SELinux enforcing mode, and app sandboxing prevents initial access to the vulnerable component.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with physical access can exploit this to gain full control of affected Android devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access but no user interaction. Exploitation involves triggering the use-after-free condition to manipulate kernel memory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2023 Android Security Bulletin patches

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-06-01

Restart Required: Yes

Instructions:

1. Apply June 2023 Android security patch via OTA update. 2. For Pixel devices, ensure build number includes June 2023 security patch level. 3. Reboot device after update installation.

🔧 Temporary Workarounds

Disable vulnerable I2C devices

linux

Disable I2C devices that use the vulnerable driver if not required for device functionality

echo 0 > /sys/bus/i2c/devices/[device]/enable

🧯 If You Can't Patch

  • Restrict physical access to devices and implement strict app installation policies
  • Enable SELinux enforcing mode and implement application sandboxing to limit exploit impact

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If before June 2023, device is vulnerable.

Check Version:

getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'June 5, 2023' or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panic logs
  • SELinux denials related to I2C device access
  • Unexpected privilege escalation attempts

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

source="android_kernel" AND ("lwis_i2c" OR "use-after-free" OR "kernel panic")

📊 Metadata

CVE ID: CVE-2023-21147
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: June 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-21147, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)