CVE-2023-40096 : In OpRecordAudioMonitor::onFirstRef of AudioRecordClient.cpp, there is a possibl

In OpRecordAudioMonitor::onFirstRef of AudioRecordClient.cpp, there is a possible way to record audio from the background due to a missing flag. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.

Published 2023-12-04 23:15:25

Updated 2024-02-02 03:14:44

Source Android (associated with Google Inc. or Open Handset Alliance)

View at NVD, CVE.org

Products affected by CVE-2023-40096

Google » Android » Version: 11.0
cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 12.0
cpe:2.3:o:google:android:12.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 12.1
cpe:2.3:o:google:android:12.1:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 13.0
cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*
Matching versions
Google » Android » Version: 14.0
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-40096

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 6 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-40096

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2023-40096

https://android.googlesource.com/platform/frameworks/av/+/148aeea373febc959c429f2cabd8323508c38ad8

148aeea373febc959c429f2cabd8323508c38ad8 - platform/frameworks/av - Git at Google
Patch
https://android.googlesource.com/platform/frameworks/av/+/5f401fc9f214789d691798620fea60015962370a

5f401fc9f214789d691798620fea60015962370a - platform/frameworks/av - Git at Google
Patch
https://source.android.com/security/bulletin/2023-12-01

Android Security Bulletin—December 2023 | Android Open Source Project
Patch;Vendor Advisory

CVEs referencing this url
https://android.googlesource.com/platform/frameworks/native/+/9ddecd3d2b88de5ff7aa890d7ba9967c30d8b183

9ddecd3d2b88de5ff7aa890d7ba9967c30d8b183 - platform/frameworks/native - Git at Google
Patch
https://android.googlesource.com/platform/frameworks/base/+/b0f6558fb36eb76df35c516ec5a65030a34a8734

b0f6558fb36eb76df35c516ec5a65030a34a8734 - platform/frameworks/base - Git at Google
Patch

Jump to

Vulnerability Details : CVE-2023-40096

Products affected by CVE-2023-40096

Exploit prediction scoring system (EPSS) score for CVE-2023-40096

CVSS scores for CVE-2023-40096

References for CVE-2023-40096