GoogleOSV:ASB-A-272106880[Mainline Fix] AttributionSource may incorrectly validate the calling uid and pid depending on usage
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.8%
In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
android.googlesource.com/platform/packages/modules/Wifi/+/e6ca0c031758d8b1511f6a359bec316b6d2e22fe
android.googlesource.com/platform/packages/modules/Wifi/+/f39ed052916716ef974102b3bad7ae102d0164a5
android.googlesource.com/platform/packages/modules/Wifi/+/f88a2294f53cf382908cc48f992273742f817dd5
source.android.com/security/bulletin/2024-06-01
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.8%