CVE-2023-46139
CVE-2023-46139 is a medium-severity vulnerability in Kernelsu with a CVSS 3.x base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: Medium (CVSS 3.x base score 5.0)
- EPSS exploit prediction: 0% (7th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-863
- Affected product: Kernelsu
- Published:
- Last modified:
Description
KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps.
Frequently asked questions
- What is CVE-2023-46139?
- KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps.
- How severe is CVE-2023-46139?
- CVE-2023-46139 has a CVSS 3.x base score of 5.0, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
- Is CVE-2023-46139 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (7th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-46139?
- CVE-2023-46139 affects Kernelsu. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-46139?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-46139 published?
- CVE-2023-46139 was published on 2023-10-31 and last updated on 2026-06-17.
References
- http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#770
- http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#783
- https://drive.google.com/drive/folders/1XdYCCAhC_mkt1k1IyUiwcgFsuOFvwNRl
- https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L179C32-L179C32
- https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L188
- https://github.com/tiann/KernelSU/commit/d24813b2c3738f2f9bd762932141cadd948c354f
- https://github.com/tiann/KernelSU/security/advisories/GHSA-86cp-3prf-pwqq
Affected products (1)
- cpe:2.3:a:kernelsu:kernelsu:*:*:*:*:*:*:*:*
More vulnerabilities in Kernelsu
- CVE-2023-5521 — Critical (CVSS 9.8): Incorrect Authorization in GitHub repository tiann/kernelsu prior to v0.6.9.
- CVE-2023-49794 — Medium (CVSS 6.7): KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in…
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →