Android 14 Security Release Notes

Published October 4, 2023 | Updated March 4, 2023

This Android Security Release Notes contains details of security vulnerabilities affecting Android devices which are addressed as part of Android 14. Android 14 devices with a security patch level of 2023-10-01 or later are protected against these issues (Android 14 , as released on AOSP, will have a default security patch level of 2023-10-01). To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues prior to publication. Source code patches for these issues will be released to the Android Open Source Project (AOSP) repository as part of the Android 14 release.

The severity assessment of issues in these release notes are based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

We have had no reports of active customer exploitation or abuse of these newly reported issues. Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

Announcements

  • The issues described in this document are addressed as part of Android 14 . This information is provided for reference and transparency.
  • We would like to acknowledge and thank the security research community for their continued contributions towards securing the Android ecosystem.

Android and Google service mitigations

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

Android 14 vulnerability details

The sections below provide details for security vulnerabilities fixed as part of Android 14 . Vulnerabilities are grouped under the component that they affect and include details such as the CVE, associated references, type of vulnerability, and severity.

Android runtime

CVE References Type Severity
CVE-2022-29824 A-272276710 EoP High
CVE-2023-21309 A-266432364 ID Moderate
CVE-2023-21366 A-265440128 ID Moderate
CVE-2023-21367 A-265499381 ID Moderate
CVE-2023-21372 A-262741239 EoP Moderate
CVE-2023-40101 A-267617531 ID Moderate

Framework

CVE References Type Severity
CVE-2023-21342 A-232799171 EoP High
CVE-2023-21343 A-257953844 EoP High
CVE-2023-21351 A-232798676 EoP High
CVE-2023-21398 A-274592326 EoP High
CVE-2023-21362 A-229633537 DoS High
CVE-2023-21364 A-262595156 DoS High
CVE-2023-21365 A-262594744 DoS High
CVE-2023-21298 A-179699722 EoP Moderate
CVE-2023-21324 A-197327805 EoP Moderate
CVE-2023-21328 A-195963690 EoP Moderate
CVE-2023-21337 A-179783499 EoP Moderate
CVE-2023-21338 A-179783492 EoP Moderate
CVE-2023-21341 A-190694761 EoP Moderate
CVE-2023-21374 A-267313135 EoP Moderate
CVE-2023-21397 A-245300607 EoP Moderate
CVE-2022-20264 A-217561828 ID Moderate
CVE-2022-27404 A-271684625 ID Moderate
CVE-2023-20907 A-239415997 DoS High
CVE-2023-20908 A-239415861 DoS High
CVE-2023-21293 A-213903886 ID Moderate
CVE-2023-21294 A-191678586 ID Moderate
CVE-2023-21295 A-187957189 ID Moderate
CVE-2023-21296 A-202386106 ID Moderate
CVE-2023-21299 A-224533639 ID Moderate
CVE-2023-21300 A-224015938 ID Moderate
CVE-2023-21301 A-224976267 ID Moderate
CVE-2023-21302 A-228450093 ID Moderate
CVE-2023-21303 A-208257145 ID Moderate
CVE-2023-21304 A-208257015 ID Moderate
CVE-2023-21305 A-207671082 ID Moderate
CVE-2023-21306 A-208258924 ID Moderate
CVE-2023-21316 A-207133734 ID Moderate
CVE-2023-21317 A-207670653 ID Moderate
CVE-2023-21318 A-208258815 ID Moderate
CVE-2023-21319 A-217740016 ID Moderate
CVE-2023-21320 A-205707373 ID Moderate
CVE-2023-21321 A-231160336 ID Moderate
CVE-2023-21323 A-232796464 ID Moderate
CVE-2023-21326 A-232415364 ID Moderate
CVE-2023-21327 A-186404361 ID Moderate
CVE-2023-21329 A-185126503 ID Moderate
CVE-2023-21330 A-238299601 ID Moderate
CVE-2023-21331 A-227208010 ID Moderate
CVE-2023-21332 A-212287294 ID Moderate
CVE-2023-21333 A-212287061 ID Moderate
CVE-2023-21334 A-189944359 ID Moderate
CVE-2023-21336 A-216823971 ID Moderate
CVE-2023-21344 A-248250734 ID Moderate
CVE-2023-21346 A-248250674 ID Moderate
CVE-2023-21348 A-249058614 ID Moderate
CVE-2023-21349 A-241233589 ID Moderate
CVE-2023-21354 A-241233630 ID Moderate
CVE-2023-21377 A-231587164 ID Moderate
CVE-2023-21382 A-161370118 ID Moderate
CVE-2023-21387 A-280296227 ID Moderate
CVE-2023-21339 A-235353864 DoS Moderate
CVE-2023-21345 A-249056757 ID Low
CVE-2023-35678 A-286882367 EoP High
CVE-2023-45780 A-215212215 EoP High

Media Framework

CVE References Type Severity
CVE-2023-21381 A-274883119 EoP High
CVE-2023-21355 A-274815060 EoP Moderate

System

CVE References Type Severity
CVE-2021-39810 A-212610736 EoP High
CVE-2023-21313 A-268341970 EoP High
CVE-2023-21358 A-274447627 EoP High
CVE-2023-21361 A-277249213 EoP High
CVE-2023-21392 A-281346084 EoP High
CVE-2023-21312 A-277915880 ID High
CVE-2023-21315 A-277578150 ID High
CVE-2023-21394 A-273502295 ID High
CVE-2023-21356 A-276975913 RCE Moderate
CVE-2023-21310 A-274722163 EoP Moderate
CVE-2023-21360 A-242994452 EoP Moderate
CVE-2023-21370 A-263948587 EoP Moderate
CVE-2023-21371 A-263948508 EoP Moderate
CVE-2023-21373 A-277073811 EoP Moderate
CVE-2023-21375 A-261071553 EoP Moderate
CVE-2023-21376 A-212694314 EoP Moderate
CVE-2023-21378 A-257953390 EoP Moderate
CVE-2023-21380 A-274722185 EoP Moderate
CVE-2023-21388 A-269122009 EoP Moderate
CVE-2023-21389 A-278559731 EoP Moderate
CVE-2023-21390 A-271849181 EoP Moderate
CVE-2023-21393 A-262242946 EoP Moderate
CVE-2023-21396 A-232258773 EoP Moderate
CVE-2022-20531 A-231988638 ID Moderate
CVE-2023-21308 A-252764300 ID Moderate
CVE-2023-21314 A-266433017 ID Moderate
CVE-2023-21325 A-230755151 ID Moderate
CVE-2023-21335 A-232938844 ID Moderate
CVE-2023-21340 A-236813210 ID Moderate
CVE-2023-21347 A-242171908 ID Moderate
CVE-2023-21350 A-243792935 ID Moderate
CVE-2023-21352 A-244155256 ID Moderate
CVE-2023-21353 A-244155333 ID Moderate
CVE-2023-21357 A-252996038 ID Moderate
CVE-2023-21359 A-260726311 ID Moderate
CVE-2023-21368 A-277288588 ID Moderate
CVE-2023-21379 A-264921486 ID Moderate
CVE-2023-21383 A-233607547 ID Moderate
CVE-2023-21384 A-256590334 ID Moderate
CVE-2023-21385 A-271458258 ID Moderate
CVE-2023-21395 A-259939435 ID Moderate
CVE-2023-21311 A-237289258 DoS Moderate
CVE-2023-21369 A-264260808 DoS Moderate
CVE-2023-21391 A-278556945 DoS Moderate
CVE-2023-21386 A-275552292 ID Moderate
CVE-2023-21297 A-230733237 ID Moderate
CVE-2023-21307 A-192475649 ID High

Common questions and answers

This section answers common questions that may occur after reading this bulletin.

1. How do I determine if my device is updated to address these issues?

To learn how to check a device's security patch level, see Check and update your Android version.

Android 14 , as released on AOSP, has a default security patch level of 2023-10-01. Android devices running Android 14 and with a security patch level of 2023-10-01 or later address all issues contained in these security release notes.

2. What do the entries in the Type column mean?

Entries in the Type column of the vulnerability details table reference the classification of the security vulnerability.

Abbreviation Definition
RCE Remote code execution
EoP Elevation of privilege
ID Information disclosure
DoS Denial of service
N/A Classification not available

3. What do the entries in the References column mean?

Entries under the References column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

Prefix Reference
A- Android bug ID

Versions

Version Date Notes
1.0 October 4, 2023 Bulletin Published
1.1 October 26, 2023 Updated Issue List
1.2 November 9, 2023 Updated Issue List
1.3 March 4, 2024 Updated Issue List