CVE-2023-21036 Overview
CVE-2023-21036 is a logic error vulnerability in Android's BitmapExport.java component that results in a failure to properly truncate images. This flaw, commonly referred to as "aCropalypse," allows sensitive information from previously cropped or edited images to remain accessible within the image file. When a user crops or edits a screenshot on affected Android devices, the original unedited image data may not be fully removed, potentially exposing private information that the user intended to redact.
Critical Impact
Cropped or edited screenshots on affected Android devices may retain original image data, leading to unintended disclosure of sensitive information such as personal details, financial information, or private communications that users believed they had removed.
Affected Products
- Google Android (kernel level)
- Google Pixel devices with Markup tool
- Android devices using affected image editing components
Discovery Timeline
- 2023-03-24 - CVE-2023-21036 published to NVD
- 2025-02-25 - Last updated in NVD database
Technical Details for CVE-2023-21036
Vulnerability Analysis
The vulnerability resides in Android's image processing workflow, specifically within BitmapExport.java. When users crop or edit images using the built-in Markup tool on Pixel devices, the application writes the modified (smaller) image to the same file but fails to truncate the file to the new, smaller size. This improper exception handling (CWE-703) results in the original image data being preserved after the end of the new, cropped image within the same file.
Standard image viewers typically only render data up to the end-of-image marker and ignore trailing data, making the vulnerability invisible to casual observation. However, specialized tools can extract the original, uncropped image data from these files, potentially revealing information the user intended to remove.
Root Cause
The root cause is a logic error in the code where the output stream is opened in a mode that does not truncate the existing file before writing. When the edited image is smaller than the original, the remaining bytes from the original image persist in the file after the new image data ends. The file size remains unchanged despite containing a smaller image, and standard PNG/image parsing stops at the end-of-image marker, leaving the residual data intact but hidden from normal viewing.
Attack Vector
This vulnerability requires local access to exploit. An attacker would need to obtain image files that were previously cropped or edited on an affected Android device. The attack scenario typically involves:
- A user captures a screenshot containing sensitive information
- The user crops or edits the image to remove sensitive portions using the Markup tool
- The user shares the edited image (via messaging, email, social media, etc.)
- An attacker retrieves the shared image file
- Using image analysis tools, the attacker extracts the original uncropped data from the file's trailing bytes
The vulnerability mechanism involves the Markup tool opening the file without the truncation flag, causing the edited image to overwrite only the beginning portion of the original file while leaving excess bytes from the original image intact.
Detection Methods for CVE-2023-21036
Indicators of Compromise
- Image files with file sizes larger than expected for their visible dimensions
- PNG files containing data past the IEND chunk marker
- Screenshot files edited with Android Markup tool prior to March 2023 security patch
- Images with inconsistent file size to content ratio
Detection Strategies
- Compare visible image dimensions against total file size to identify anomalies
- Parse PNG files to detect data existing beyond the IEND chunk marker
- Audit image files shared from potentially affected Android devices
- Use specialized forensic tools designed to detect aCropalypse artifacts
Monitoring Recommendations
- Implement file integrity monitoring for sensitive image repositories
- Monitor for unusual file size patterns in image uploads
- Consider scanning shared images for residual data indicators
- Review image processing pipelines for proper file truncation handling
How to Mitigate CVE-2023-21036
Immediate Actions Required
- Update affected Android devices to the March 2023 security patch level or later
- Re-save any sensitive images that were edited before patching using a trusted image editor
- Review previously shared cropped images for potential sensitive data exposure
- Consider using third-party image editing applications that properly handle file truncation
Patch Information
Google addressed this vulnerability in the March 2023 Pixel Security Bulletin. Users should ensure their devices are updated to the latest security patch level. The fix ensures that image files are properly truncated when edits result in a smaller file size, preventing original image data from persisting.
Workarounds
- Use alternative image editing applications that properly truncate files when saving
- Convert edited images to a different format (e.g., save as JPEG) to ensure complete rewrite
- Take new screenshots of already-cropped images to create clean files
- Use the share function directly from the crop interface rather than saving and sharing separately
- For sensitive content, verify file sizes match expected dimensions before sharing
For existing affected images, specialized tools are available to strip residual data by re-encoding the visible portion of the image to a new file.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
