Cyber Resilience

CVE-2023-20963

HighCISA KEVActive ExploitationEUVD Exploited

Published: 24 March 2023

Published
24 March 2023
Modified
23 October 2025
KEV Added
13 April 2023
Patch
01 March 2023
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0114 78.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-20963 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 21.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2023-20963 is a vulnerability in the WorkSource component of Android that stems from a possible parcel mismatch. It affects Android versions 11, 12, 12L, and 13 and carries a CVSS 3.1 base score of 7.8. The underlying weakness is tracked as CWE-295.

A local attacker with existing application privileges can exploit the flaw without user interaction or additional execution rights to achieve privilege escalation on the device. The attack occurs entirely within the local attack surface and can result in full compromise of confidentiality, integrity, and availability.

The March 2023 Android security bulletin addresses the issue under Android ID A-220302519 and provides the corresponding patches for the affected releases. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0234, indicating increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-220302519

CWE(s)
KEV Date Added
13 April 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
11.0, 12.0, 12.1, 13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces Android's permission model and Binder IPC access checks that the parcel mismatch in WorkSource bypasses to achieve unauthorized privilege escalation.

prevent

Requires processes to operate only with the privileges explicitly granted; the flaw allows a local app to obtain higher privileges than intended without additional permissions.

prevent

Mandates validation of all input data structures; a parcel mismatch is an instance of malformed IPC input that proper validation would reject before privilege escalation occurs.

References