Cyber Resilience

CVE-2023-40132

High

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0000 0.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40132 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-40132 is a vulnerability in the setActualDefaultRingtoneUri method of RingtoneManager.java within the Android framework. It stems from a missing permission check that allows bypassing content provider read permissions, classified under CWE-276 (Incorrect Default Permissions). The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-01-21.

A local attacker with low privileges can exploit this vulnerability to achieve escalation of privilege without needing additional execution privileges. Although the CVSS vector indicates no user interaction (UI:N), the description specifies that user interaction is required for exploitation. Successful exploitation grants high confidentiality, integrity, and availability impacts.

The Android Security Bulletin at https://source.android.com/security/bulletin/2025-01-01 provides details on patches and mitigation steps for affected Android versions. Security practitioners should apply these updates promptly to address the permission bypass.

EU & UK References

Vulnerability details

In setActualDefaultRingtoneUri of RingtoneManager.java, there is a possible way to bypass content providers read permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for…

more

exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing permission check enables local privilege escalation via exploitation of Android framework component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-49737Same product: Google Android
CVE-2024-53841Same product: Google Android
CVE-2018-9434Same product: Google Android
CVE-2018-9401Same product: Google Android
CVE-2024-34730Same product: Google Android
CVE-2024-11624Same product: Google Android
CVE-2024-49735Same product: Google Android
CVE-2024-49732Same product: Google Android
CVE-2024-53835Same product: Google Android
CVE-2024-43769Same product: Google Android

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing permission check that allows bypassing content provider read permissions.

prevent

Employs least privilege to restrict access beyond what is necessary, mitigating the local escalation of privilege enabled by the permission bypass.

preventrecover

Requires identification, reporting, and correction of flaws like the missing permission check in RingtoneManager.java, as addressed in Android security bulletins.

References