Android GeoLocation.java: Mock Location in Emergency Enables Priv Escalation
CVE-2023-35692 Published on July 14, 2023
In getLocationCache of GeoLocation.java, there is a possible way to send a mock location during an emergency call due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Weakness Type
Improper Check for Dropped Privileges
The software attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded. If the drop fails, the software will continue to run with the raised privileges, which might provide additional access to unprivileged users.
Products Associated with CVE-2023-35692
Want to know whenever a new CVE is published for Google Android? stack.watch will email you.
Affected Versions
Google Android Version Android kernel is affected by CVE-2023-35692Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.