CVE-2023-35669

HIGH

Google Android - Insecure Deserialization

Title source: rule

Description

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to control other running activities due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References (2)

[Issue Tracking, Patch] https://android.googlesource.com/platform/frameworks/base/+/f810d81839af38ee121c446105ca67cb12992fc6

[Vendor Advisory] https://source.android.com/security/bulletin/2023-09-01

Scores

CVSS v3 7.8

EPSS 0.0002

EPSS Percentile 3.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (4)

google/android

Timeline

Published Sep 11, 2023

Tracked Since Feb 18, 2026