CVE-2023-5521 is a security vulnerability found in KernelSU, an open-source project for rooting Android devices. The issue lies in incorrect authorization checks, which existed in all versions before v.6.9. In simple terms: someone without proper permissions could potentially gain root access on devices running KernelSU.

- CVE Link: NVD Entry for CVE-2023-5521
- GitHub Security Advisory: GHSA-x2h5-v45w-cq7g
- Affected repository: tiann/kernelsu

2. Understanding KernelSU and Its Impact

KernelSU essentially acts like Magisk—it lets users gain root access on Android by injecting itself into the device’s kernel. That means it sits at one of the most critical layers of the Android operating system. If something goes wrong, an attacker could easily control the entire device.

So, if you’re using KernelSU to root your phone, an authorization bug here is a huge problem: anyone with app-level access could potentially become ‘root’ without your knowledge.

What Happened?

In KernelSU prior to v.6.9, the code that checks if a user or app is authorized to make root-level changes was faulty. This flaw allowed a local attacker (like a malicious app on your device) to bypass security restrictions and gain undeserved root privileges.

4. Real-World Exploit Example (with Code!)

Let’s say you have a bad app installed on your phone. It wants to escalate its privileges. Here’s how an exploit might look in practice (note: this is for educational purposes!):

// Assume the su binary provided by KernelSU is present

Process process = Runtime.getRuntime().exec("su -c id");
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));

String output = reader.readLine();
if (output.contains("uid=")) {
    // We're root!
    System.out.println("Exploit successful: App gained root access!");
} else {
    System.out.println("Failed to gain root.");
}

What’s happening?

Because of the CVE, KernelSU incorrectly authorizes the request, granting uid= (root).

- The app can now do anything on your device: read your files, install malware, brick your device, and so on.

NOTE: The actual vulnerability depended on KernelSU’s internal permission checking in kernel code, but the effect was exactly this: the door was left open.

Update immediately to v.6.9 or newer!

Download latest release

Extra Technical

The patch for CVE-2023-5521 hardened the permission check logic. Here’s a simplified (not actual) C code fix:

// Old: permit too many
if (requestor_uid ==  || is_whitelisted(requestor_uid)) {
    allow_action();
}

// Fixed: strict check
if (is_whitelisted(requestor_uid)) {
    allow_action();
}

The fix ensures only whitelisted UIDs (user IDs) are allowed, and doesn’t accidentally grant permission just because the ID might be 'root' or otherwise faulty.

Official KernelSU Advisory:

https://github.com/tiann/KernelSU/security/advisories/GHSA-x2h5-v45w-cq7g

National Vulnerability Database:

https://nvd.nist.gov/vuln/detail/CVE-2023-5521

Latest KernelSU Release (fixed):

https://github.com/tiann/KernelSU/releases

About KernelSU:

https://github.com/tiann/KernelSU

In Short...

CVE-2023-5521 is a serious security hole in the Android rooting tool KernelSU. If left unpatched, any app on your device could become root, putting your privacy and security at risk. The only safe move is to update KernelSU now and stay aware when rooting your device.

Timeline

Published on: 10/11/2023 12:15:00 UTC
Last modified on: 10/13/2023 18:07:00 UTC