CVE-2023-48418 | In checkDebuggingDisallowed of DeviceVersionFragment.java, t… | CVSS 10.0 CRITICAL

Description

In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation

Metadata

CVE ID: CVE-2023-48418
State: PUBLISHED
Assigner: Google_Devices
Reserved: 2023-11-16 16:28 UTC
Published: 2024-01-02 22:25 UTC
Last updated: 2025-06-03 14:45 UTC
Primary CWE: CWE-269
CWE-269 Improper Privilege Management
Vendor / Product: Google / Pixel Watch
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Google	Pixel Watch	Android	11

Weakness (CWE)

CWE	Source	Description
CWE-269	cna	CWE-269 Improper Privilege Management

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (2)