In checkDebuggingDisallowed of DeviceVersionFragment.java, there is a possible way to access adb before SUW completion due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation
The vulnerability lies in an incorrect default value for access control in the checkDebuggingDisallowed function, which is responsible for verifying whether ADB debugging should be blocked during the device setup phase (Setup Wizard, SUW). Since the default value is set in an insecure manner, an attacker can gain access to the ADB shell before the device is properly configured and secured. Exploitation does not require any additional privileges or user interaction.
An attacker with physical or local access to the device can gain elevated privileges through the ADB interface, which in turn allows them to take control of the device before the setup process is completed.
Security patches available from the manufacturer should be applied according to the references — Google Pixel Watch security bulletin dated 2023-12-01 (https://source.android.com/docs/security/bulletin/pixel-watch/2023/2023-12-01).
Google Pixel Watch and Google Pixel Watch firmware (Pixel Watch Firmware); specific versions indicated in the manufacturer's security bulletin from December 2023.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGoogle Pixel Watch
HWGoogle11Google Pixel Watch Firmware
OSGooglewszystkie wersje
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML
Type Confusion w silniku V8 Chrome — zdalne wykonanie kodu (RCE)
Use-after-free w Google Chrome Visuals umożliwiający ucieczkę z sandbox