CVE-2023-40133

MEDIUM

Android - Local Information Disclosure via Confused Deputy in DialogFillUi

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-40133. PoCs published by uthrasri.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2023-40133, targeting the Android Autofill framework. The provided Java files demonstrate the vulnerability by manipulating the FillUi class to exploit improper input validation in the Autofill service.

Description

In multiple locations of DialogFillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (1)

nomisec WORKING POC
by uthrasri · poc
https://github.com/uthrasri/frame_CVE-2023-40133_136_137

The repository contains functional exploit code for CVE-2023-40133, targeting the Android Autofill framework. The provided Java files demonstrate the vulnerability by manipulating the FillUi class to exploit improper input validation in the Autofill service.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Android Autofill Framework (versions affected by CVE-2023-40133)
No auth needed
Prerequisites: Access to a vulnerable Android device · Ability to execute arbitrary code in the context of the Autofill service
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.5
EPSS 0.0018
EPSS Percentile 7.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (4)
google/android 11.0
google/android 12.0
google/android 12.1
google/android 13.0
Published Oct 27, 2023
Tracked Since Feb 18, 2026