CVE-2023-21036
Published on: Not Yet Published
Last Modified on: 03/29/2023 12:53:00 PM UTC
Certain versions of Android from Google contain the following vulnerability:
In BitmapExport.java, there is a possible failure to truncate images due to a logic error in the code.Product: AndroidVersions: Android kernelAndroid ID: A-264261868References: N/A
- CVE-2023-21036 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 5.5 - MEDIUM
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | LOW | LOW | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | NONE | NONE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Pixel Update Bulletin—March 2023 | Android Open Source Project | source.android.com text/html |
MISC source.android.com/security/bulletin/pixel/2023-03-01 |
Related QID Numbers
- 610470 Google Pixel Android March 2023 Security Patch Missing
Exploit/POC from Github
Detection and sanitization for Acropalypse Now - CVE-2023-21036
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Android | - | All | All | All |
- cpe:2.3:o:google:android:-:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @David3141593 |
@dougallj btw the CVE is CVE-2023-21036, but you won't find any useful information attached to it yet. | 2023-03-18 06:56:28 |
| @MichaelKruglos |
@bhop_art Assuming the fix for reserved CVE-2023-21036 in Markup there is related to this issue -that's the perfect solution. | 2023-03-18 10:08:33 |
| @F_J_Lewis |
@linuxgemini @JulianKlode @ItsSimonTime @David3141593 yes, but no. CVE-2023-21036 is not yet public. | 2023-03-18 11:26:19 |
| @SimonZerafa |
@SGgrc CVE-2023-21036 / acropalypse is bonkers. 5+ years the cropping / editing tools for screenshots on Google Pix… twitter.com/i/web/status/1… | 2023-03-18 12:18:44 |
| @Hiiragi_yuriko |
CVE-2023-21036 使用 Pixel 手机中的 Markup 软件对截图进行裁剪或修改并将之保存,保存的图像可以被恢复数据。 twitter.com/itssimontime/s… | 2023-03-18 17:23:49 |
| @biz4e_hirayama |
これのCVE-2023-21036、だな source.android.com/docs/security/… | 2023-03-18 20:17:23 |
| @biz4e_hirayama |
上からPixel 6aで 1. スクショとったまま 2. トリミングして保存(上書き保存されちゃうのでスクショはやり直した。なぜかファイルサイズでかくなるが、CVE-2023-21036の影響と思われる) 3. フォトで1をトリミ… twitter.com/i/web/status/1… | 2023-03-18 20:56:09 |
| @froseiun |
该漏洞编号为 CVE-2023-21036,已在 3 月安全补丁中修复,理论上还在支持周期内的 Pixel 更新到最新系统版本就可以,还在用 Pixel 4 及之前型号的还是找替代工具吧… twitter.com/itssimontime/s… | 2023-03-19 00:13:40 |
| @skycat_me |
ここから復元を試せる。 acropalypse.app この問題自体はCVE-2023-21036で対応されてそうなのでPixelユーザーはAndroidをアップデートしましょう。… twitter.com/i/web/status/1… | 2023-03-19 07:00:44 |
| @a4lg |
Android で編集した画像データから (必ずではないが) 元データを復元するというまるで魔法のようなツールが何故可能になったかと思ったら、CVE-2023-21036 という面白い脆弱性があったのか。 da.vidbuchanan.co.uk/blog/exploitin… | 2023-03-19 14:10:36 |
| @sploitus_com |
Exploit for CVE-2023-21036 sploitus.com/exploit?id=38C… #Exploit #Sploitus | 2023-03-20 00:28:40 |
| @astsu777 |
Vulnerability CVE-2023-21036 affecting Pixel smartphones allows for screenshots to be unmodified if using Google's… twitter.com/i/web/status/1… | 2023-03-20 10:16:33 |
| @kumoha683 |
CVE-2023-21036ということみたい twitter.com/pc_watch/statu… | 2023-03-20 13:29:38 |
| @payloadartist |
? Exploiting aCropalypse: Recovering Truncated PNGs (CVE-2023-21036) da.vidbuchanan.co.uk/blog/exploitin… By @David3141593… twitter.com/i/web/status/1… | 2023-03-20 14:30:01 |
| @nilab |
「Google Pixelに標準搭載されている画像編集ツール「マークアップ」において、加工前のスクリーンショットが復元できてしまう脆弱性(CVE-2023-21036)が発見された」 【やじうまPC Watch】Google P… twitter.com/i/web/status/1… | 2023-03-21 04:50:24 |
| @yohhoy |
いやー CVE-2023-21036 技術的には凄く面白いな(センシティブな脆弱性なので一部ユーザには深刻ではあるが) PNGの特性的にも塗りつぶし領域が広いほど復元可能性が高まるし | 2023-03-21 06:33:46 |
| @yuki_obana |
「【脆弱性】Google Pixelで加工したスクショを復元できてしまう脆弱性 CVE-2023-21036 ツイッタ..」togetter.com/li/2106735 をお気に入りにしました。 | 2023-03-21 13:28:22 |
| @abclinuxu |
Zranitelnost acropalypse (CVE-2023-21036) telefonů Google Pixel abclinuxu.cz/zpravicky/zran… | 2023-03-21 13:29:17 |
| @ct_is |
The 'Acropalypse' (CVE-2023-21036) flaw highlights the need for 2-factor redaction in sensitive data. Taking a scre… twitter.com/i/web/status/1… | 2023-03-21 13:34:12 |
| @kirifurikogen |
【脆弱性】Google Pixelで加工したスクショを復元できてしまう脆弱性 CVE-2023-21036 ツイッターの反応まとめ togetter.com/li/2106735 #Togetter | 2023-03-21 21:58:21 |
| @NeLL_nr2N |
「【脆弱性】Google Pixelで加工したスクショを復元できてしまう脆弱性 CVE-2023-21036 ツイッタ..」togetter.com/li/2106735 をお気に入りにしました。 | 2023-03-22 00:04:55 |
| @lildobe |
@zdimension_ @ItsSimonTime @David3141593 It appears to have been fixed in the March update. CVE-2023-21036 was patc… twitter.com/i/web/status/1… | 2023-03-22 01:42:30 |
| @o_ob |
アポカリプス(Apocalypse)ならぬ"aCropalypse"脆弱性(CVE-2023-21036) 3月更新で解決しているはずなのですが、すでに生成したPNGは…この記事にやばいPNGかどうかをテストするサイトもあるよ… twitter.com/i/web/status/1… | 2023-03-22 02:10:27 |
| @genkotsu_ramen |
CVE-2023-21036、他の製品でも既に見つかってるあたりやばそう | 2023-03-22 06:07:27 |
| @AldrielSR |
@afterdawnfi Pixelin puolesta korjaus tähän on tullut jo 13.3. CVE-2023-21036 source.android.com/docs/security/… | 2023-03-22 17:50:50 |
| @sysbraykr |
Windows Snipping Tool is vulnerable to Acropalypse (CVE-2023-21036) too. When saving over a file, Snipping Tool wil… twitter.com/i/web/status/1… | 2023-03-22 18:11:53 |
| @ogianatiempo |
I made a Yara rule and some python scripts for detection and sanitization of Acropalypse (CVE-2023-21036) affected… twitter.com/i/web/status/1… | 2023-03-22 19:23:51 |
| @luiscosio |
Regla YARA para detección rápida de imágenes PNG afectadas por Acropalypse - CVE-2023-21036 -… twitter.com/i/web/status/1… | 2023-03-22 19:27:19 |
| @_r_netsec |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 github.com/infobyte/CVE-2… | 2023-03-22 19:28:06 |
| @CybrXx0 |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 via /r/netsec… twitter.com/i/web/status/1… | 2023-03-22 19:59:07 |
| @Myinfosecfeed |
New post: "YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036" ift.tt/a41Owu0 | 2023-03-22 20:48:27 |
| @ipssignatures |
The vuln CVE-2023-21036 has a tweet created 0 days ago and retweeted 12 times. twitter.com/ogianatiempo/s… #pow1rtrtwwcve | 2023-03-23 02:06:00 |
| @ishizuki |
マイクロソフト、Google Pixelの脆弱性(CVE-2023-21036)がWindows Snipping Toolにも影響するかを調査中。スクリーンショットの切り抜いた部分を復元できる脆弱性。… twitter.com/i/web/status/1… | 2023-03-23 02:16:00 |
| @GeekNewsBot |
Acropalypse - 크롭된 스크린샷 관련 취약점 news.hada.io/topic?id=8771 - Google Pixel의 기본 스크린샷 편집 앱의 취약점(CVE-2023-21036) - 이미지를 수… twitter.com/i/web/status/1… | 2023-03-23 02:39:02 |
| @reddit4devs |
ift.tt/6BkryQt YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-03-23 13:56:18 |
| @softwaremars |
#software YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036… twitter.com/i/web/status/1… | 2023-03-23 14:33:54 |
| @Har_sia |
CVE-2023-21036 har-sia.info/CVE-2023-21036… #HarsiaInfo | 2023-03-23 15:08:10 |
| @5ch4um1 |
@David3141593 I like their sense of humor. ? curl raw.githubusercontent.com/infobyte/CVE-2… -s --output - | xxd | grep END 0002d400:… twitter.com/i/web/status/1… | 2023-03-23 19:44:02 |
| @hack_git |
CVE-2023-21036 Acropalypse detection and sanitization tools. github.com/infobyte/CVE-2… #cve #cybersecurity… twitter.com/i/web/status/1… | 2023-03-23 20:23:15 |
| @CVEreport |
CVE-2023-21036 : In BitmapExport.java, there is a possible failure to truncate images due to a logic error in… twitter.com/i/web/status/1… | 2023-03-24 20:38:46 |
| @sploitus_com |
Exploit for CVE-2023-21036 sploitus.com/exploit?id=902… #Exploit #Sploitus | 2023-03-25 00:28:41 |
 /r/netsec |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-03-22 19:23:55 |
| /r/cybersecurity |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-03-22 20:46:41 |
| /r/bugbounty |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-03-23 13:30:47 |
| /r/programming |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-03-23 13:37:57 |
| /r/u/Great-Conference-839 |
YARA rule for rapid detection of PNG images affected by Acropalypse - CVE-2023-21036 | 2023-04-25 14:21:45 |
