CVE-2023-48345 is a security vulnerability identified in several Unisoc (Shanghai) Technologies Co., Ltd. chipsets, specifically the SC7731E, SC9832E, SC9863A, T310, T606, T612, T616, T610, T618, T760, T770, T820, and S8000 models. These chipsets are commonly used in mobile devices running Android 11 and Android 12. The vulnerability arises from an out-of-bounds read in the video decoder component due to improper input validation. This type of flaw is categorized under CWE-125 (Out-of-bounds Read), where the software reads data outside the bounds of allocated memory. Exploiting this vulnerability does not require additional execution privileges or user interaction, but it is limited to local access, meaning an attacker must have some level of local access or control over the device to trigger the flaw. The primary impact of this vulnerability is a local denial of service (DoS), where the video decoder could crash or become unresponsive, potentially disrupting multimedia functionality on affected devices. The CVSS v3.1 base score is 5.5 (medium severity), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating that the attack vector is local, requires low attack complexity, low privileges, no user interaction, and impacts availability only. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that mitigation may rely on vendor updates or device firmware upgrades once available. Given the affected chipsets are embedded in a variety of consumer mobile devices, the vulnerability could affect end users and organizations relying on these devices for communication and multimedia tasks.

For European organizations, the impact of CVE-2023-48345 primarily concerns availability disruptions on devices using the affected Unisoc chipsets. Organizations with employees or operations relying on mobile devices incorporating these chipsets may experience interruptions in video playback or other multimedia services, potentially affecting productivity or communications. While the vulnerability does not allow for privilege escalation or data compromise, denial of service conditions could be exploited in targeted scenarios to disrupt device functionality. This could be particularly relevant for sectors where mobile device reliability is critical, such as field services, logistics, or remote workforces. Additionally, the local attack vector limits remote exploitation, but insider threats or compromised devices could be leveraged to trigger the DoS. The lack of known exploits reduces immediate risk, but the medium severity rating and absence of patches mean organizations should proactively monitor for updates and assess device inventories for affected hardware. The impact on confidentiality and integrity is negligible, but availability impact could affect operational continuity in specific contexts.

To mitigate CVE-2023-48345, European organizations should first identify and inventory devices using the affected Unisoc chipsets running Android 11 or 12. Since no patches are currently available, organizations should monitor Unisoc and device manufacturers for firmware or software updates addressing this vulnerability and prioritize timely deployment once released. In the interim, restricting local access to devices can reduce exploitation risk; this includes enforcing strong physical security controls, limiting device sharing, and employing mobile device management (MDM) solutions to monitor device health and usage. Organizations should also educate users about the risks of installing untrusted applications or granting unnecessary permissions that could enable local attackers to exploit the vulnerability. For critical environments, consider isolating or replacing devices with affected chipsets if feasible. Additionally, implementing robust incident response procedures to quickly detect and recover from device crashes or DoS conditions will help minimize operational impact. Network segmentation and endpoint protection can further reduce the risk of lateral movement if a device is compromised.