vulnerability context

CVE-2023-20938

CVSS 7.8 HIGHEPSS 25%CWE-416

In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel

Published 2023-02-28 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 7.8 / HIGH
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 25% percentile (score 0.0033)
CWE: CWE-416
OTX pulses: 0 total, 0 recent

View on NVD → · cve.org

source mentions 1

[Undercode Testing] From UAF to Root: Deconstructing Android’s Cross-Cache Exploit CVE-2023-20938 + Video Introduction: The Li...Bluesky · 1d ago

source consensus

Bluesky1×

Want the 3-bullet summary of CVE-2023-20938, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →