CVE-2023-20938

HIGH

Android - Use-After-Free in binder_transaction_buffer_release

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2023-20938. PoCs published by jaf0rk, anansi2safe, Cyb3rCr0wCC.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2023-20938, targeting the Android Binder driver. The code includes utilities for Binder IPC operations, transaction handling, and service manager interactions, demonstrating the vulnerability through crafted transactions.

Description

In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257685302References: Upstream kernel

Exploits (4)

nomisec WORKING POC 14 stars
by jaf0rk · poc
https://github.com/jaf0rk/CVE-2023-20938

This repository contains a functional proof-of-concept exploit for CVE-2023-20938, targeting the Android Binder driver. The code includes utilities for Binder IPC operations, transaction handling, and service manager interactions, demonstrating the vulnerability through crafted transactions.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Reliable
Target: Android Binder driver (Linux kernel)
No auth needed
Prerequisites: Access to the target Android device · Kernel with vulnerable Binder driver
devstral-2 · analyzed Jun 17, 2026 Full analysis →
nomisec WORKING POC 9 stars
by anansi2safe · poc
https://github.com/anansi2safe/CVE-2023-20938

This repository contains a working proof-of-concept exploit for CVE-2023-20938, a use-after-free vulnerability in the Android Binder driver. The exploit demonstrates a race condition leading to a use-after-free scenario, triggering a KASAN crash in the kernel.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: Android Binder driver (android12-5.10.136_r00)
No auth needed
Prerequisites: Android environment with Binder driver vulnerability · ITokenManager to establish process connections
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Cyb3rCr0wCC · poc
https://github.com/Cyb3rCr0wCC/cve-2023-20938

This repository contains detailed technical documentation and analysis of CVE-2023-20938, focusing on Binder transactions in the Linux Kernel, including low-level mechanics, exploitation strategies, and related code snippets. It provides in-depth research on the vulnerability but does not include a functional exploit.

Classification
Writeup 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Theoretical
Target: Android Binder IPC mechanism
No auth needed
Prerequisites: Access to Android device with vulnerable Binder implementation · Kernel-level debugging capabilities
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by 0xAtharv · poc
https://github.com/0xAtharv/CVE-2023-20938-Public

This repository contains a proof-of-concept exploit for CVE-2023-20938, demonstrating a vulnerability in the Android Binder IPC subsystem. It includes both QEMU emulation and real device exploitation code, leveraging the libdevbinder library for interaction with the binder device.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android Binder IPC subsystem
No auth needed
Prerequisites: Access to the target Android device or QEMU emulation environment · Root access to create a new binder device node on real devices
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0033
EPSS Percentile 24.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-416
Status published
Products (1)
google/android
Published Feb 28, 2023
Tracked Since Feb 18, 2026