CVE-2023-21089
https://notcve.org/view.php?id=CVE-2023-21089
In startInstrumentation of ActivityManagerService.java, there is a possible way to keep the foreground service alive while the app is in the background. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-237766679 • https://source.android.com/security/bulletin/2023-04-01 •
CVE-2023-21097
https://notcve.org/view.php?id=CVE-2023-21097
In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325 • https://source.android.com/security/bulletin/2023-04-01 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2023-20950
https://notcve.org/view.php?id=CVE-2023-20950
In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12LAndroid ID: A-195756028 • https://source.android.com/security/bulletin/2023-04-01 • CWE-863: Incorrect Authorization •
CVE-2023-20909
https://notcve.org/view.php?id=CVE-2023-20909
In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512 • https://source.android.com/security/bulletin/2023-04-01 •
CVE-2023-21096
https://notcve.org/view.php?id=CVE-2023-21096
In OnWakelockReleased of attribution_processor.cc, there is a use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-254774758 • https://source.android.com/security/bulletin/2023-04-01 • CWE-416: Use After Free •