CVE-2023-45779

Name of the Vulnerable Software and Affected Versions Android versions prior to 2023-12-05 security patch

Description The issue is related to the APEX module framework of AOSP, where improperly used crypto could lead to a malicious update of platform components. This could result in local escalation of privilege with no additional execution privileges needed. User interaction is not required for exploitation. Several Android OEMs, including ASUS, Fairphone, Lenovo, Microsoft, Nokia, Nothing, and Vivo, were affected as they were signing some of their APEX modules with publicly available test keys.

Recommendations For Android versions prior to 2023-12-05 security patch, update to a version that includes the December 2023 security update to resolve the issue. As a temporary workaround, consider restricting access to the APEX module framework until a patch is available.