CVE-2023-35671

MEDIUM

Android - Local Information Disclosure via NFC Host Emulation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-35671. PoCs published by MrTiz.

AI-analyzed exploit summary This repository documents CVE-2023-35671, an Android vulnerability in Google Wallet where NFC data (card number and expiry) can be read via an NFC reader while the device is locked, bypassing the 'Require device unlock for NFC' setting. The PoC involves using a Flipper Zero to exploit this logic error in `HostEmulationManager.java`.

Description

In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (1)

nomisec WRITEUP 73 stars
by MrTiz · poc
https://github.com/MrTiz/CVE-2023-35671

This repository documents CVE-2023-35671, an Android vulnerability in Google Wallet where NFC data (card number and expiry) can be read via an NFC reader while the device is locked, bypassing the 'Require device unlock for NFC' setting. The PoC involves using a Flipper Zero to exploit this logic error in `HostEmulationManager.java`.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Google Wallet on Android (builds before September 2023)
No auth needed
Prerequisites: Android device with App Pinning enabled · Google Wallet with a configured payment card · NFC reader (e.g., Flipper Zero) · NFC enabled with 'Require device unlock for NFC' setting
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

Scores

CVSS v3 5.5
EPSS 0.0023
EPSS Percentile 14.0%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-269
Status published
Products (4)
google/android 11.0
google/android 12.0
google/android 12.1
google/android 13.0
Published Sep 11, 2023
Tracked Since Feb 18, 2026