CVE-2023-35685

HighPublic PoC

Published: 08 January 2025

Published

08 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In DevmemIntMapPages of devicemem_server.c, there is a possible physical page uaf due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Security Summary

CVE-2023-35685 is a vulnerability in the DevmemIntMapPages function of devicemem_server.c, where a logic error in the code can result in a physical page use-after-free (UAF). This issue affects the kernel and is associated with CWE-416.

A local attacker with low privileges (PR:L) can exploit this vulnerability due to its low attack complexity (AC:L) and lack of required user interaction (UI:N). Successful exploitation enables kernel escalation of privilege with no additional execution privileges needed, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Mitigation details are available in the advisory published on the Google Issue Tracker at https://issuetracker.google.com/issues/42420027.

Details

CWE(s): NVD-CWE-noinfoCWE-416

Affected Products

google

android

all versions

References

https://issuetracker.google.com/issues/42420027
Exploit, Mailing List · security@android.com