{"id":"ASB-A-264879662","details":"In nci_snd_set_routing_cmd of nci_hmsgs.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-264879662","CVE-2023-21085"],"modified":"2026-04-21T15:25:42.831358Z","published":"2023-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/system/nfc/+/09591ec257b3547348e0e3ba123523ea8361c84d"}],"affected":[{"package":{"name":"platform/system/nfc","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-04-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-04-01","types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-1d893a6b","signature_type":"Line","digest":{"line_hashes":["208283816317851276167464264087713045043","101512112163818874160315300790181291129","227387121055190419413577922687070710536"],"threshold":0.9},"target":{"file":"src/nfc/nci/nci_hmsgs.cc"},"deprecated":false},{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-5268930d","signature_type":"Function","digest":{"function_hash":"245286270681895241095322239054195438896","length":735},"target":{"file":"src/nfc/nci/nci_hmsgs.cc","function":"nci_snd_set_routing_cmd"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-264879662.json"}},{"package":{"name":"platform/system/nfc","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-04-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-04-01","types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-c7e88808","signature_type":"Function","digest":{"function_hash":"245286270681895241095322239054195438896","length":735},"target":{"file":"src/nfc/nci/nci_hmsgs.cc","function":"nci_snd_set_routing_cmd"},"deprecated":false},{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-fa5e2d05","signature_type":"Line","digest":{"line_hashes":["208283816317851276167464264087713045043","101512112163818874160315300790181291129","227387121055190419413577922687070710536"],"threshold":0.9},"target":{"file":"src/nfc/nci/nci_hmsgs.cc"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-264879662.json"}},{"package":{"name":"platform/system/nfc","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-04-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-04-01","types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-4d490539","signature_type":"Line","digest":{"line_hashes":["208283816317851276167464264087713045043","101512112163818874160315300790181291129","227387121055190419413577922687070710536"],"threshold":0.9},"target":{"file":"src/nfc/nci/nci_hmsgs.cc"},"deprecated":false},{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-61a91699","signature_type":"Function","digest":{"function_hash":"245286270681895241095322239054195438896","length":735},"target":{"file":"src/nfc/nci/nci_hmsgs.cc","function":"nci_snd_set_routing_cmd"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-264879662.json"}},{"package":{"name":"platform/system/nfc","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-04-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-04-01","types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-be9d5960","signature_type":"Function","digest":{"function_hash":"245286270681895241095322239054195438896","length":735},"target":{"file":"src/nfc/nci/nci_hmsgs.cc","function":"nci_snd_set_routing_cmd"},"deprecated":false},{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-d782ad19","signature_type":"Line","digest":{"line_hashes":["208283816317851276167464264087713045043","101512112163818874160315300790181291129","227387121055190419413577922687070710536"],"threshold":0.9},"target":{"file":"src/nfc/nci/nci_hmsgs.cc"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-264879662.json"}},{"package":{"name":"platform/system/nfc","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-04-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-04-01","types":["RCE"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-e074064c","signature_type":"Line","digest":{"line_hashes":["208283816317851276167464264087713045043","101512112163818874160315300790181291129","227387121055190419413577922687070710536"],"threshold":0.9},"target":{"file":"src/nfc/nci/nci_hmsgs.cc"},"deprecated":false},{"source":"https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78","signature_version":"v1","id":"ASB-A-264879662-f9174d19","signature_type":"Function","digest":{"function_hash":"245286270681895241095322239054195438896","length":735},"target":{"file":"src/nfc/nci/nci_hmsgs.cc","function":"nci_snd_set_routing_cmd"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/system/nfc/+/1dd4d2e1b481dd83ca2b222993fdb74ae5306c78"],"severity":"Critical"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-264879662.json"}}],"schema_version":"1.7.5"}