CRITICAL🇵🇱 Wersja polska

CVE-2023-48424

CVSS 9.8v3.1pub. 2023-12-11upd. 2026-02-25

U-Boot shell vulnerability resulting in Privilege escalation in a production device

🤖 AI Analysis
How it works

The vulnerability concerns the U-Boot bootloader shell present in the firmware of Google Chromecast devices. The vulnerability allows an attacker to obtain elevated privileges in the device's production environment. The detailed technical mechanism has not been disclosed in the available description, however the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates that the attack can be conducted remotely, without user interaction and without required privileges.

Impact

An attacker can obtain elevated privileges on the device, which consequently may lead to complete takeover of the device, violation of confidentiality, integrity, and availability of Chromecast data and functions.

Mitigation & patch

Apply patches available from the manufacturer according to references — Chromecast security bulletin dated 2023-12-01 available at: https://source.android.com/docs/security/bulletin/chromecast/2023-12-01. It is recommended to update the device firmware to the latest version.

Who is affected

Google Chromecast and Google Chromecast firmware — specific versions indicated in the Chromecast security bulletin from December 2023 (2023-12-01) available in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Google Chromecast

    HW
    Google
    wszystkie wersje
  • Google Chromecast Firmware

    OS
    Google
    < 2023-10-01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2023-48426CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART

CVE-2023-48417CRITICAL9.8PL ✓ten sam produkt

Brak sprawdzania uprawnień w aplikacji KeyChainActivity na urządzeniach Google Chromecast

CVE-2023-48425CRITICAL9.8PL ✓ten sam produkt

Podatność U-Boot w Google Chromecast umożliwiająca trwałe wykonanie kodu

CVE-2023-6181CRITICAL9.8PL ✓ten sam produkt

RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...