PT-2023-17816 · Google · Android
Published
2023-03-24
·
Updated
2023-03-30
·
CVE-2023-21026
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Android version Android-13
Description
In the
updateInputChannel function of WindowManagerService.java, a logic error allows setting a touchable region beyond its own SurfaceControl. This could lead to local denial of service without needing additional execution privileges. User interaction is not required for exploitation.Recommendations
For Android version Android-13, apply the necessary patch or update to resolve the issue. As a temporary workaround, consider restricting access to the
updateInputChannel function in WindowManagerService.java to minimize the risk of exploitation.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Android