CVE-2023-21131: In checkKeyIntentParceledCorrectly() of ActivityManagerService.java, there is a possible bypass of Parcel Mismatch mitigations due to a logic error...

Description

In checkKeyIntentParceledCorrectly() of ActivityManagerService.java, there is a possible bypass of Parcel Mismatch mitigations due to a logic error in the code. This could lead to local escalation of privilege and the ability to launch arbitrary activities in settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-265015796

Classification

CVE ID: CVE-2023-21131

Affected Products

Vendor: n/a

Product: Android

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 5.08% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://source.android.com/security/bulletin/2023-06-01

Timeline

2024-12-19 00:30:28 UTC
CVE

In checkKeyIntentParceledCorrectly() of ActivityManagerService.java, there is a possible bypass of Parcel Mismatch mitigations due to a logic error...