CRITICAL🇵🇱 Wersja polska

CVE-2023-48419

CVSS 10.0v3.1pub. 2024-01-02upd. 2024-11-21

An attacker in the wifi vicinity of a target Google Home can spy on the victim, resulting in Elevation of Privilege 

🤖 AI Analysis
How it works

The attacker must be within the physical range of the victim's Wi-Fi network. Without any privileges or user interaction, they are able to conduct an attack resulting in privilege escalation. The detailed technical mechanism has not been disclosed in the available description, however the full CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) indicates a vulnerability accessible remotely over the network, requiring no complicated conditions or prior privileges.

Impact

An attacker can obtain unauthorized elevated privileges on the device and spy on the victim — potentially gaining access to audio captured by the device's microphone. The vulnerability scope (Scope: Changed) suggests the possibility of exceeding the context of the device itself.

Mitigation & patch

Apply patches available from the manufacturer according to references (Google support page: support.google.com/product-documentation/answer/14273332). Google Home devices typically update automatically — verify that devices have automatic software updates enabled.

Who is affected

Google Nest Audio (firmware), Google Nest Mini (firmware), Google Home Mini (firmware) — specific versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Google Home

    HW
    Google
    wszystkie wersje
  • Google Home Firmware

    OS
    Google
    < 2.58
  • Google Home Mini

    HW
    Google
    wszystkie wersje
  • Google Home Mini Firmware

    OS
    Google
    < 2.58
  • Google Nest Audio

    HW
    Google
    wszystkie wersje
  • Google Nest Audio Firmware

    OS
    Google
    < 2.58
  • Google Nest Mini

    HW
    Google
    wszystkie wersje
  • Google Nest Mini Firmware

    OS
    Google
    < 2.58
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-32928MEDIUM5.9ten sam produkt

The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices...

CVE-2018-12716MEDIUM4.3ten sam produkt

The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2024-7971CRITICAL9.6⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption

CVE-2024-5274CRITICAL9.6⚠ KEVPL ✓ten sam vendor

Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML