CVE-2023-21086 in Android
Summary
by MITRE • 04/19/2023
In isToggleable of SecureNfcEnabler.java and SecureNfcPreferenceController.java, there is a possible way to enable NFC from a secondary account due to a permissions bypass. This could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-238298970
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability described in CVE-2023-21086 represents a critical permissions bypass flaw within Android's NFC security implementation that specifically affects Android 11 through Android 13 versions. This issue resides in the SecureNfcEnabler.java and SecureNfcPreferenceController.java components, which are responsible for managing NFC functionality and access controls within the Android operating system. The flaw allows for unauthorized NFC activation through secondary user accounts, creating a pathway for privilege escalation from guest user contexts to full system privileges without requiring additional execution privileges or user interaction.
The technical nature of this vulnerability stems from improper access control validation within the NFC enablement logic, where the isToggleable method fails to properly verify user permissions before allowing NFC functionality activation. This bypass occurs specifically when secondary accounts attempt to enable NFC services, exploiting a gap in the permission model that should normally restrict such operations to primary users or system-level processes. The vulnerability operates at the system level within Android's security framework, where user account isolation mechanisms are supposed to prevent cross-account privilege escalation.
From an operational perspective, this vulnerability presents a severe security risk as it enables local privilege escalation from guest accounts, which typically have minimal system access rights. The lack of user interaction requirement makes this flaw particularly dangerous as it can be exploited automatically without any user involvement, potentially allowing attackers to gain unauthorized access to NFC-enabled services and associated data. The impact extends beyond simple NFC functionality, as NFC devices often serve as gateways for various security-sensitive operations including secure payments, device pairing, and access control systems. This vulnerability directly relates to CWE-284: Improper Access Control, which addresses insufficient access control mechanisms that allow unauthorized access to resources.
The exploitation of this vulnerability could enable attackers to manipulate NFC services from guest accounts, potentially leading to unauthorized data transfer, device pairing with malicious entities, or bypassing other security controls that depend on NFC functionality. Attackers could leverage this privilege escalation to access sensitive information, perform unauthorized transactions, or establish persistent access points through NFC-enabled devices. This flaw aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, where adversaries exploit vulnerabilities to gain higher-level privileges within a system. The vulnerability affects all Android versions from 11 through 13, indicating it has been present in the system for multiple releases and represents a long-standing security gap that requires immediate remediation through system updates and patches.
The security implications of this vulnerability extend to the fundamental principle of least privilege enforcement within Android's multi-user environment, where secondary accounts should not be able to perform system-level operations that require primary user authorization. This flaw undermines the integrity of Android's user isolation mechanisms and represents a significant weakness in the operating system's security architecture that could be exploited in various attack scenarios involving NFC-enabled devices and services.