CVE-2023-20963

HIGH KEV

Android - Local Privilege Escalation via WorkSource Parcel Mismatch

Title source: llm

Exploitation Summary

CVE-2023-20963 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 13, 2023. EIP tracks 4 public exploits from researchers including pwnipc, black7024, GabrieleDattile.

AI-analyzed exploit summary This PoC exploits CVE-2023-20963, a vulnerability in Android's WorkSource parcel/unparcel logic, to bypass screen lock by manipulating Bundle data. It demonstrates a local privilege escalation by crafting malicious Parcel data to trigger unintended behavior in the Android framework.

Description

In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519

Exploits (4)

nomisec WORKING POC 70 stars

by pwnipc · local

https://github.com/pwnipc/BadParcel

View Code ZIP pw:eip

This PoC exploits CVE-2023-20963, a vulnerability in Android's WorkSource parcel/unparcel logic, to bypass screen lock by manipulating Bundle data. It demonstrates a local privilege escalation by crafting malicious Parcel data to trigger unintended behavior in the Android framework.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Android Framework (AOSP versions 11, 12, 12L, 13 with security patch levels prior to March 2023)

No auth needed

Prerequisites: Android device with vulnerable AOSP version · Ability to install a malicious app

MITRE ATT&CK

T1555 - Credentials from Password Stores T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by black7024 · local

https://github.com/black7024/BadParcel

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-20963, a vulnerability in Android's WorkSource parcel/unparcel logic. The exploit demonstrates a screen lock bypass by manipulating parcel data to launch arbitrary activities.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Android AOSP versions 11, 12, 12L, 13 with security patch levels prior to March 2023

No auth needed

Prerequisites: Device with vulnerable Android version · Ability to install and run the PoC application

MITRE ATT&CK

T1555 - Credentials from Password Stores

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC

by GabrieleDattile · pythonpoc

https://github.com/GabrieleDattile/cve-pocs/tree/main/CVE/CVE-2023-20963

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2023-20963, demonstrating a WorkSource parcel/unparcel mismatch vulnerability in Android 11-13. The exploit leverages malformed parcel data to trigger arbitrary code execution or privilege escalation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Android 11, 12, 12L, 13

No auth needed

Prerequisites: Android device with vulnerable OS version · Ability to install malicious APK

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by Trinadh465 · poc

https://github.com/Trinadh465/frameworks_base_AOSP10_r33_CVE-2023-20963

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-20963, targeting Android's Autofill framework. The code includes test cases that demonstrate the vulnerability by manipulating focus events and autofill responses.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Android Autofill Framework (AOSP10 r33)

No auth needed

Prerequisites: Access to an Android device with the vulnerable Autofill framework

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory

https://source.android.com/security/bulletin/2023-03-01

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-20963

Scores

CVSS v3 7.8

EPSS 0.0144

EPSS Percentile 69.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2023-04-13

VulnCheck KEV 2023-03-06

InTheWild.io 2023-03-06

ENISA EUVD EUVD-2023-25131

CWE

CWE-295

Status published

Products (4)

google/android 11.0

google/android 12.0

google/android 12.1

google/android 13.0

Published Mar 24, 2023

KEV Added Apr 13, 2023

Tracked Since Feb 18, 2026