{"id":"ASB-A-261858325","details":"In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-261858325","CVE-2023-21097"],"modified":"2026-04-29T15:10:00.007170Z","published":"2023-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/37e9ac249bc712eb240a7224ebe09d24de5fb190"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-04-01"}]}],"versions":["13-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-261858325-2536fb0d","source":"https://android.googlesource.com/platform/frameworks/base/+/e56ca6b94516e4adb9ba5002a2dff0fbcd6bfff2","signature_version":"v1","target":{"file":"core/java/android/content/Intent.java"},"digest":{"line_hashes":["94551627107923130385523135893517785998","150136354593107910198119465791752131621","196149630175400252759956693774630289095","19069004713157416761334761750151917249"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"id":"ASB-A-261858325-429679e2","source":"https://android.googlesource.com/platform/frameworks/base/+/e56ca6b94516e4adb9ba5002a2dff0fbcd6bfff2","signature_version":"v1","target":{"function":"toUriInner","file":"core/java/android/content/Intent.java"},"digest":{"length":2051,"function_hash":"240844664726332416271350520095610606287"},"deprecated":false,"signature_type":"Function"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e56ca6b94516e4adb9ba5002a2dff0fbcd6bfff2"],"spl":"2023-04-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261858325.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-04-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-261858325-40580961","source":"https://android.googlesource.com/platform/frameworks/base/+/43437b4ee6424933d4e403f0375ef8c1f07986f4","signature_version":"v1","target":{"function":"toUriInner","file":"core/java/android/content/Intent.java"},"digest":{"length":2051,"function_hash":"240844664726332416271350520095610606287"},"deprecated":false,"signature_type":"Function"},{"id":"ASB-A-261858325-525397a1","source":"https://android.googlesource.com/platform/frameworks/base/+/43437b4ee6424933d4e403f0375ef8c1f07986f4","signature_version":"v1","target":{"file":"core/java/android/content/Intent.java"},"digest":{"line_hashes":["94551627107923130385523135893517785998","150136354593107910198119465791752131621","196149630175400252759956693774630289095","19069004713157416761334761750151917249"],"threshold":0.9},"deprecated":false,"signature_type":"Line"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/43437b4ee6424933d4e403f0375ef8c1f07986f4"],"spl":"2023-04-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261858325.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-04-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-261858325-3cdd2e2e","source":"https://android.googlesource.com/platform/frameworks/base/+/bfe7e8bab48caff53dbcf2913f724de2e4f5aa81","signature_version":"v1","target":{"file":"core/java/android/content/Intent.java"},"digest":{"line_hashes":["94551627107923130385523135893517785998","150136354593107910198119465791752131621","196149630175400252759956693774630289095","19069004713157416761334761750151917249"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"id":"ASB-A-261858325-b9a8567f","source":"https://android.googlesource.com/platform/frameworks/base/+/bfe7e8bab48caff53dbcf2913f724de2e4f5aa81","signature_version":"v1","target":{"function":"toUriInner","file":"core/java/android/content/Intent.java"},"digest":{"length":2051,"function_hash":"240844664726332416271350520095610606287"},"deprecated":false,"signature_type":"Function"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/bfe7e8bab48caff53dbcf2913f724de2e4f5aa81"],"spl":"2023-04-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261858325.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-04-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-261858325-2c0cb12b","source":"https://android.googlesource.com/platform/frameworks/base/+/c0f1b9f614edcc04130d8dc3c28f109e9571fa8a","signature_version":"v1","target":{"function":"toUriInner","file":"core/java/android/content/Intent.java"},"digest":{"length":2051,"function_hash":"240844664726332416271350520095610606287"},"deprecated":false,"signature_type":"Function"},{"id":"ASB-A-261858325-83550bb2","source":"https://android.googlesource.com/platform/frameworks/base/+/c0f1b9f614edcc04130d8dc3c28f109e9571fa8a","signature_version":"v1","target":{"file":"core/java/android/content/Intent.java"},"digest":{"line_hashes":["94551627107923130385523135893517785998","150136354593107910198119465791752131621","196149630175400252759956693774630289095","19069004713157416761334761750151917249"],"threshold":0.9},"deprecated":false,"signature_type":"Line"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c0f1b9f614edcc04130d8dc3c28f109e9571fa8a"],"spl":"2023-04-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261858325.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-04-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"id":"ASB-A-261858325-16d68fcd","source":"https://android.googlesource.com/platform/frameworks/base/+/e10ae05752f39c038703f8c2c3827123ea84d31e","signature_version":"v1","target":{"function":"toUriInner","file":"core/java/android/content/Intent.java"},"digest":{"length":2051,"function_hash":"240844664726332416271350520095610606287"},"deprecated":false,"signature_type":"Function"},{"id":"ASB-A-261858325-a073abf6","source":"https://android.googlesource.com/platform/frameworks/base/+/e10ae05752f39c038703f8c2c3827123ea84d31e","signature_version":"v1","target":{"file":"core/java/android/content/Intent.java"},"digest":{"line_hashes":["94551627107923130385523135893517785998","150136354593107910198119465791752131621","196149630175400252759956693774630289095","19069004713157416761334761750151917249"],"threshold":0.9},"deprecated":false,"signature_type":"Line"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e10ae05752f39c038703f8c2c3827123ea84d31e"],"spl":"2023-04-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-261858325.json"}}],"schema_version":"1.7.5"}