SB2023040457 - Multiple vulnerabilities in Google Pixel (January 2023)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023040457

SB2023040457 - Multiple vulnerabilities in Google Pixel (January 2023)

Published: April 4, 2023

Security Bulletin ID SB2023040457
Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Medium 13% Low 88%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2023-20924)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Pixel 6a Fingerprint Scanner subcomponent in Pixel. A local application can execute arbitrary code.


2) Improper input validation (CVE-ID: CVE-2023-20925)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to improper input validation within the Pixel Power service subcomponent in Pixel. A local application can execute arbitrary code.


3) Information exposure (CVE-ID: CVE-2023-20923)

The vulnerability allows a local application to gain access to sensitive information.

The vulnerability exists due to improper input validation within the ShannonRcs subcomponent in Pixel. A local application can gain access to sensitive information.


4) Buffer over-read (CVE-ID: CVE-2022-22079)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in BOOT. A local attacker can perform a denial of service (DoS) attack.


5) Incorrect Type Conversion or Cast (Type Conversion) (CVE-ID: CVE-2022-25715)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Display driver. A local privileged application can execute arbitrary code.


6) Use After Free (CVE-ID: CVE-2022-25717)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Display. A local privileged application can execute arbitrary code.


7) Incorrect Type Conversion or Cast (Type Conversion) (CVE-ID: CVE-2022-25721)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to improper input validation in Video driver. A local privileged application can execute arbitrary code.


8) Information Exposure (CVE-ID: CVE-2022-25722)

The vulnerability allows a local privileged application to read and manipulate data.

The vulnerability exists due to improper input validation in DSP Services. A local privileged application can read and manipulate data.


Remediation

Install update from vendor's website.

References