Login Sign Up

CVE-2023-35652

7.5 HIGH

📋 TL;DR

This CVE describes an out-of-bounds read vulnerability in Android's baseband firmware that could allow remote information disclosure. Attackers could potentially read sensitive data from memory, but exploitation requires compromising the baseband firmware first. Affects Android devices, particularly Google Pixel phones.

💻 Affected Systems

Products:
  • Google Pixel phones
  • Android devices with affected baseband firmware
Versions: Android versions prior to October 2023 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects ProtocolEmergencyCallListIndAdapter::Init in protocolcalladapter.cpp. Requires baseband firmware compromise for exploitation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker reads sensitive data from device memory including potentially authentication tokens, encryption keys, or other protected information after compromising baseband firmware.

🟠

Likely Case

Limited information disclosure from baseband memory, potentially exposing device identifiers or telemetry data.

🟢

If Mitigated

No impact if baseband firmware is not compromised or device is patched.

🌐 Internet-Facing: MEDIUM - Requires baseband firmware compromise which is difficult but possible via specialized attacks.
🏢 Internal Only: LOW - Baseband attacks typically require proximity or carrier-level access, not internal network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires baseband firmware compromise first, which is technically challenging. No user interaction needed once baseband is compromised.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 Android security patch or later

Vendor Advisory: https://source.android.com/security/bulletin/pixel/2023-10-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install October 2023 or later security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Disable emergency call features

android

Disable emergency call functionality to potentially mitigate the vulnerability (not recommended for primary devices)

🧯 If You Can't Patch

  • Isolate vulnerable devices from untrusted networks
  • Monitor for unusual baseband activity or unexpected information disclosure

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If patch level is before October 2023, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows October 2023 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Baseband crash logs
  • Unexpected memory access patterns in baseband logs

Network Indicators:

  • Unusual baseband communication patterns
  • Suspicious emergency call protocol traffic

SIEM Query:

Search for baseband firmware crashes or emergency call protocol anomalies in device logs

📊 Metadata

CVE ID: CVE-2023-35652
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-125
Published: October 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35652, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)