CVE-2023-21073 in Android
Summary
by MITRE • 03/24/2023
In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-257290396References: N/A
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/10/2025
The vulnerability identified as CVE-2023-21073 resides within the Android kernel's Real-Time Transport protocol implementation, specifically in the rtt_unpack_xtlv_cbfn function located in the dhd_rtt.c file. This flaw represents a critical buffer overflow condition that can result in arbitrary code execution with system-level privileges. The vulnerability manifests when processing RTT (Round Trip Time) data structures, which are used for location services and network performance measurement in wireless communication systems. The buffer overflow occurs during the unpacking of extended type-length-value (XTLV) data structures, where insufficient bounds checking allows maliciously crafted input to overwrite adjacent memory regions.
The technical implementation of this vulnerability stems from inadequate input validation within the RTT subsystem of the Broadcom wireless driver. When the rtt_unpack_xtlv_cbfn function processes incoming RTT measurement data, it fails to properly validate the length parameters of the XTLV structures before copying data into fixed-size buffers. This oversight creates a scenario where an attacker can craft specially formatted RTT measurement packets that exceed the allocated buffer boundaries, leading to memory corruption. The flaw is categorized under CWE-121 as a stack-based buffer overflow, though it manifests in kernel space where the consequences are more severe. The vulnerability can be exploited through the wireless network interface, making it particularly concerning as it can be triggered remotely without requiring user interaction or physical access to the device.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it enables attackers to gain complete system control through local privilege escalation. An attacker with access to the wireless network interface or the ability to inject malicious RTT measurement data can leverage this vulnerability to execute arbitrary code with kernel privileges. This level of access allows for complete system compromise, including the ability to install malicious software, modify system files, access all user data, and establish persistent backdoors. The vulnerability affects Android devices that utilize Broadcom wireless chipsets and implement the RTT functionality for location services, potentially impacting millions of devices worldwide. The lack of user interaction requirements makes this vulnerability particularly dangerous as it can be exploited automatically without any user awareness or consent.
Mitigation strategies for CVE-2023-21073 should prioritize immediate patch deployment from device manufacturers and Google, as the vulnerability exists in the core kernel components of affected Android versions. Organizations should implement network monitoring to detect anomalous RTT measurement traffic patterns that might indicate exploitation attempts. Security researchers recommend disabling RTT functionality when not actively required for location services, as this reduces the attack surface. Device manufacturers should also consider implementing additional input validation layers in wireless drivers and employing kernel hardening techniques such as stack canaries and address space layout randomization. The vulnerability aligns with ATT&CK technique T1068, which covers privilege escalation through kernel exploits, and T1566, covering social engineering through wireless network manipulation. Regular security audits of kernel components and wireless driver implementations should be conducted to identify similar buffer overflow vulnerabilities that could be exploited in similar contexts.