CVE-2023-20963 Overview
CVE-2023-20963 is a local privilege escalation vulnerability in the Android WorkSource class. The flaw stems from a parcel mismatch between the serialization and deserialization paths, a class of bug commonly referred to as a Parcel/Bundle mismatch. An attacker with local code execution on an Android device can exploit this inconsistency to elevate privileges without requiring user interaction or additional execution rights. The vulnerability affects Android versions 11, 12, 12L, and 13. CISA added CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) catalog after confirming exploitation in the wild, with reports linking the flaw to commercial spyware deployed against Android users.
Critical Impact
A local attacker can escalate privileges on affected Android devices to gain access to system-level capabilities, enabling persistent compromise and access to sensitive user data.
Affected Products
- Google Android 11
- Google Android 12 and 12L
- Google Android 13
Discovery Timeline
- 2023-03-01 - Google publishes fix in the Android Security Bulletin (March 2023)
- 2023-03-24 - CVE-2023-20963 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2023-20963
Vulnerability Analysis
The vulnerability resides in the Android WorkSource class, which tracks the application or user responsible for power and resource usage. The class implements the Parcelable interface to allow Inter-Process Communication (IPC) between system services and apps. A mismatch exists between how WorkSource writes data to a Parcel and how it reads the same data back. This asymmetry allows a crafted parcel to produce different object states on the writing and reading sides. The flaw is categorized under [CWE-295] in NVD records, but the underlying defect is a serialization integrity issue characteristic of Android Parcel mismatch bugs.
Root Cause
The root cause is inconsistent serialization logic inside WorkSource.writeToParcel() and WorkSource.createFromParcel(). When a parcel travels through IPC, the deserialized object can carry attacker-controlled fields that differ from what the sending process originally validated. System services that previously inspected the object before transit, such as the AlarmManager and related framework components, operate on stale or trusted values while the receiver processes attacker-controlled values. This breaks the security assumption that a vetted parcel remains immutable across IPC boundaries.
Attack Vector
An attacker first obtains local code execution through a malicious application installed on the device. The application crafts a malformed WorkSource parcel and submits it to a privileged system service that accepts WorkSource arguments. Because the parcel mismatch lets the attacker smuggle fields past validation, the system service executes operations with system-level privileges using attacker-controlled data. Reporting tied to the CISA KEV listing indicates the flaw was used as part of an exploit chain delivered by commercial surveillance vendors. No user interaction is required, and the vulnerability is reachable by any installed app.
No verified public proof-of-concept code is published for this issue. Technical details are described in the Android Security Bulletin March 2023.
Detection Methods for CVE-2023-20963
Indicators of Compromise
- Unexpected applications holding or repeatedly requesting elevated permissions such as WRITE_SECURE_SETTINGS or device-admin rights shortly after install.
- Crashes or anomalous log entries in system_server referencing WorkSource parcel parsing.
- Devices running Android 11 through 13 without the 2023-03-05 or later security patch level.
Detection Strategies
- Audit installed application security patch levels through Mobile Device Management (MDM) and flag devices below the March 2023 Android patch level.
- Inspect logcat and dropbox records on managed fleets for repeated WorkSource deserialization errors or system_server exceptions.
- Correlate newly installed applications with unexpected privilege grants using mobile threat defense telemetry.
Monitoring Recommendations
- Enforce continuous patch-level compliance checks across Android fleets and quarantine non-compliant devices.
- Monitor app installation sources and block sideloading on managed devices where business policy allows.
- Forward Android device telemetry into a centralized analytics platform to detect privilege escalation patterns across the fleet.
How to Mitigate CVE-2023-20963
Immediate Actions Required
- Update affected devices to the Android security patch level 2023-03-05 or later, which contains the fix referenced by Android ID A-220302519.
- Identify devices that cannot receive the March 2023 patch due to vendor support limitations and plan replacement or isolation.
- Restrict installation of untrusted applications, as exploitation requires a local foothold provided by a malicious app.
Patch Information
Google published the fix in the Android Security Bulletin March 2023. Device manufacturers and carriers ship the corresponding Android Open Source Project (AOSP) patch as part of the 2023-03-05 patch level. Pixel devices received the update directly from Google. Confirmation in CISA's catalog is available at the CISA Known Exploited Vulnerabilities entry for CVE-2023-20963.
Workarounds
- No vendor-supplied workaround exists. Apply the official security patch as the only supported remediation.
- For unpatchable legacy devices, limit app installation to vetted enterprise sources and remove user permissions to sideload APKs.
- Enroll devices in MDM and apply strict application allowlists until patched firmware is available.
# Verify the Android security patch level on a managed device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2023-03-05 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
