CVE-2023-21272

HIGH

Android - Local Privilege Escalation via URI Permission Grant

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-21272. PoCs published by pazhanivel07, Trinadh465.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2023-21272, targeting Android's Autofill framework. The test cases demonstrate how autofill services can be manipulated to trigger unintended behavior, potentially leading to information disclosure or denial of service.

Description

In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (2)

nomisec WORKING POC

by pazhanivel07 · poc

https://github.com/pazhanivel07/platform_frameworks_base_AOSP_10_r33_CVE-2023-21272

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-21272, targeting Android's Autofill framework. The test cases demonstrate how autofill services can be manipulated to trigger unintended behavior, potentially leading to information disclosure or denial of service.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Android Autofill Framework (AOSP 10 r33)

No auth needed

Prerequisites: Access to an Android device with Autofill enabled · Ability to install a malicious Autofill service

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Trinadh465 · poc

https://github.com/Trinadh465/frameworks_base_AOSP-4.2.2_r1_CVE-2023-21272

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2023-21272, targeting Android's ActivityManager service. The exploit leverages a vulnerability in the `Am.java` file to potentially achieve privilege escalation or unauthorized command execution.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Android Open Source Project (AOSP) 4.2.2_r1

No auth needed

Prerequisites: Access to the target Android device · Ability to execute commands via adb or similar

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Broken Link

https://android.googlesource.com/platform/frameworks/base/+/4dea696369a309cf39daa3e94fec7156c290a9c2

Patch, Vendor Advisory

https://source.android.com/security/bulletin/2023-08-01

Scores

CVSS v3 7.8

EPSS 0.0017

EPSS Percentile 6.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-269

Status published

Products (3)

google/android 11.0

google/android 12.0

google/android 12.1

Published Aug 14, 2023

Tracked Since Feb 18, 2026