CVE-2023-21072 in Android
Summary
by MITRE • 03/24/2023
In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257290781References: N/A
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2023-21072 represents a critical buffer overflow flaw within the Android kernel's Real-Time Transport protocol implementation. This issue exists in the rtt_unpack_xtlv_cbfn function located in the dhd_rtt.c file, which is part of the Broadcom driver for wireless networking components. The flaw stems from inadequate bounds checking during the processing of extended type-length-value (XTLV) structures used in RTT functionality, creating a scenario where maliciously crafted input data can cause memory corruption beyond intended buffer boundaries.
The technical nature of this vulnerability places it firmly within the CWE-121 category of stack-based buffer overflow conditions, though the specific implementation suggests a more complex heap manipulation scenario. The flaw occurs when the system processes RTT callback functions without proper validation of input parameters, allowing an attacker to manipulate the control flow by writing beyond allocated memory regions. This particular implementation involves the manipulation of XTLV structures that are used to communicate between the wireless driver and the RTT subsystem, where the absence of proper boundary checks enables arbitrary memory writes that can overwrite critical kernel data structures.
The operational impact of this vulnerability is severe as it enables local privilege escalation to system level privileges, requiring only a user-level process to exploit the flaw. The vulnerability does not require user interaction for exploitation, making it particularly dangerous as it can be triggered automatically through normal system operations involving wireless networking. An attacker with local access could leverage this vulnerability to execute arbitrary code with kernel-level privileges, effectively compromising the entire system and potentially enabling further attacks against other system components. This represents a classic privilege escalation vector that can be exploited by malicious applications or processes running on the device.
Mitigation strategies for CVE-2023-21072 should prioritize immediate patch deployment from device manufacturers, as this vulnerability affects the core kernel functionality of Android devices. Organizations should implement network monitoring to detect unusual RTT traffic patterns that might indicate exploitation attempts, while also considering runtime protections such as kernel address space layout randomization and stack canaries. The vulnerability aligns with ATT&CK technique T1068 which involves exploiting legitimate credentials and system privileges, though in this case the exploitation bypasses normal privilege boundaries entirely. System administrators should also monitor for unauthorized access attempts and consider implementing additional access controls for wireless networking components, as the vulnerability specifically targets the kernel driver layer where wireless communication is handled. The fix typically involves adding proper bounds checking to validate input data lengths and ensure that memory writes remain within allocated buffer boundaries, preventing the overflow condition that enables privilege escalation.