CRITICAL🇵🇱 Wersja polska

CVE-2023-48426

CVSS 10.0v3.1pub. 2024-04-05upd. 2025-07-24

u-boot bug that allows for u-boot shell and interrupt over UART

🤖 AI Analysis
How it works

A flaw in the u-boot bootloader implementation on Google Chromecast devices allows interaction with the u-boot shell and interruption of the boot sequence through the UART interface without requiring authentication. The lack of required identity verification (CWE-306) means that anyone with physical or logical access to the UART interface can issue commands directly in the bootloader environment. This enables interference with the system startup process at a very low level.

Impact

An attacker can gain full control over the device boot process, potentially modifying or replacing firmware, bypassing secure boot mechanisms, and obtaining elevated privileges in the system — resulting in complete violation of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to references — Google Chromecast security bulletin from December 2023 (2023-12-01) available at: https://source.android.com/docs/security/bulletin/chromecast/2023-12-01

Who is affected

Google Chromecast Firmware on devices: Google Chromecast GA00439, Google Chromecast GA3A00403A14, Google Chromecast H2G2-42, Google Chromecast NC2-645B

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Google Chromecast Firmware

    OS
    Google
    5.0
  • Google Chromecast Ga00439

    HW
    Google
    wszystkie wersje
  • Google Chromecast Ga3a00403a14

    HW
    Google
    wszystkie wersje
  • Google Chromecast H2g2 42

    HW
    Google
    wszystkie wersje
  • Google Chromecast Nc2 645b

    HW
    Google
    wszystkie wersje
  • Google Chromecast Nc2 6a5

    HW
    Google
    wszystkie wersje
  • Google Chromecast Nc2 6a5 D

    HW
    Google
    wszystkie wersje
  • Google Chromecast Rux J42

    HW
    Google
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-48417CRITICAL9.8PL ✓ten sam produkt

Brak sprawdzania uprawnień w aplikacji KeyChainActivity na urządzeniach Google Chromecast

CVE-2023-48424CRITICAL9.8PL ✓ten sam produkt

Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast

CVE-2023-48425CRITICAL9.8PL ✓ten sam produkt

Podatność U-Boot w Google Chromecast umożliwiająca trwałe wykonanie kodu

CVE-2023-6181CRITICAL9.8PL ✓ten sam produkt

RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...