Login Sign Up

CVE-2023-40140

7.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Android's InputDevice component that allows local privilege escalation without user interaction. Attackers can execute arbitrary code to gain elevated system privileges. All Android devices running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Android OS
Versions: Android versions prior to October 2023 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All Android devices with unpatched versions are vulnerable by default.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to install persistent malware, access sensitive data, and control device functions.

🟠

Likely Case

Local privilege escalation enabling attackers to bypass security controls and gain system-level access.

🟢

If Mitigated

Limited impact if devices are patched and have proper security controls like SELinux enforcement.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with local access can exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access but no user interaction. The vulnerability is in core Android framework code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2023-10-01

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install October 2023 or later security patch. 3. Reboot device after installation.

🔧 Temporary Workarounds

Restrict app installations

android

Only install apps from trusted sources like Google Play Store to reduce attack surface

Enable Google Play Protect

android

Ensure Google Play Protect is enabled to detect and block malicious apps

🧯 If You Can't Patch

  • Isolate vulnerable devices from sensitive networks and data
  • Implement strict app installation policies and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows October 2023 or later date

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Suspicious InputDevice-related crashes

Network Indicators:

  • Not applicable - local exploitation only

SIEM Query:

Not applicable for typical Android deployments

📊 Metadata

CVE ID: CVE-2023-40140
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: October 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40140, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)