Vulnerability Details CVE-2023-40075
In forceReplaceShortcutInner of ShortcutPackage.java, there is a possible way to register unlimited packages due to a missing bounds check. This could lead to local denial of service which results in a boot loop with no additional execution privileges needed. User interaction is not needed for exploitation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 20.8%
CVSS Severity
CVSS v3 Score 5.5
References
- https://android.googlesource.com/platform/frameworks/base/+/ae768fbb9975fdab267f525831cb52f485ab0ecc
- https://source.android.com/security/bulletin/2023-12-01
- https://android.googlesource.com/platform/frameworks/base/+/ae768fbb9975fdab267f525831cb52f485ab0ecc
- https://source.android.com/security/bulletin/2023-12-01
Products affected by CVE-2023-40075
-
cpe:2.3:o:google:android:11.0
-
cpe:2.3:o:google:android:12.0
-
cpe:2.3:o:google:android:12.1
-
cpe:2.3:o:google:android:13.0
-
cpe:2.3:o:google:android:14.0