CA Technologies, A Broadcom Company Security Vulnerabilities

PDoS using high notification channel group count limit

In PreferencesHelper.java, an uncaught exception may cause the device to get stuck in a boot loop. This could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: 3 vulnerabilities affecting GitOnBorg::android::platform::external::freetype

In ft_open_face_internal of ftobjs.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting photos belonging to other users by posting a CallStyle notification

In visitUris of Notification.java, there is a possible way to leak image data across user boundaries due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

NuMediaExtractor::readSampleData() SEGV failures

In readSampleData of NuMediaExtractor.cpp, there is a possible out of bounds write due to uninitialized data. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for...

CallRedirection Service does not unbind when null returned from Service, which may lead to BAL

In onNullBinding of CallRedirectionProcessor.java, there is a possible long lived connection due to improper input validation. This could lead to local escalation of privilege and background activity launches with User execution privileges needed. User interaction is not needed for...

management feature to disable user package control does not fulfill API promise to prevent app from entering app standby buckets

In various functions of AppStandbyController.java, there is a possible way to break manageability scenarios due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Denial Of Service Android 13 September 2022]

In doInBackground of NotificationContentInflater.java, there is a possible temporary denial or service due to long running operations. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for...

Android 12 Pixel 6 Lock Screen Bypass that gives access to driving mode, and from the lock screen you can view recents and favorites locations, restricted notifications, contacts, podcasts history, ..

In canStartSystemGesture of RecentsAnimationDeviceState.java, there is a possible partial lockscreen bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Large images in RemoteViews can crash SystemUI

In multiple functions of multiple files, there is a possible way to make the device unusable due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Bypass patch of 209446496: Secondary user could disable secure nfc

In isToggleable of SecureNfcEnabler.java and SecureNfcPreferenceController.java, there is a possible way to enable NFC from a secondary account due to a permissions bypass. This could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User.....

ADP Grant - Intent mismatch between Intent.toUri and Intent.parseUri

In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Android 13 Beta] Fast Pair - Information disclosure of Bluetooth Model ID and MAC Address

In sendHalfSheetCancelBroadcast of HalfSheetActivity.java, there is a possible way to learn nearby BT MAC addresses due to an unrestricted broadcast intent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

a2dp_codec_fuzz: Tag-mismatch in A2DP_BuildCodecHeaderSbc

In A2DP_BuildCodecHeaderSbc of a2dp_sbc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Malicious app can bypass one-time permission revocation and keep it granted

In getGroupState of GrantPermissionsViewModel.kt, there is a possible way to keep a one-time permission granted due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Possible Vulnerability: Invalid check for Virtio descriptors

In is_valid of queue.rs, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

The setup wizard can be bypassed with the emergency dialer allowing app installation and file system access.

In onAttach of SettingsPreferenceFragment.java, there is a possible bypass of Factory Reset Protections due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

an potential OOB write in gatt_process_prep_write_rsp Function in gatt_cl.cc

In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

[Auto] [Bluetooth] Heap OOB write of 0x00 in SDP_AddAttribute

In SDP_AddAttribute of sdp_db.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Bypass fix of CVE-2022-20347: Making bluetooth discoverable via SettingsIntelligence#SliceDeepLinkTrampoline to start Settings#BluetoothDashboardFragment

In onStart of BluetoothSwitchPreferenceController.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for...

Bypass AppOps MODE_IGNORED

In createTrack of AudioFlinger.cpp, there is a possible way to record audio without a privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in phNciNfc_MfCreateXchgDataHdr in phNxpExtns_MifareStd.cpp in libnfc_nci_jni]

In phNciNfc_MfCreateXchgDataHdr of phNxpExtns_MifareStd.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android T init_boot partition signed with public testkeys

In the Android operating system, there is a possible way to replace a boot partition due to improperly used crypto. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in pin_reply Function in bluetooth.cc in Bluetooth]

In pinReplyNative of com_android_bluetooth_btservice_AdapterService.cpp, there is a possible out of bounds read due to type confusion. This could lead to local escalation of privilege of BLE with no additional execution privileges needed. User interaction is not needed for...

[oob write due to invaild length check in Mfc_Transceive() of libnfc_nci_jni.so]

In Mfc_Transceive of phNxpExtns_MifareStd.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Outgoing call redirection by phone account settings tapjacking

In onCreate of PhoneAccountSettingsActivity.java and related files, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is...

With this vulneraility attackers can allow android most sensitive permission accessibility automatically with the help of antivirus like avast or any Playstore apps using 2 accessibility service

In onPackageRemoved of AccessibilityManagerService.java, there is a possibility to automatically grant accessibility services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Cross user image leak by logic error in multi-user profile customization

In onActivityResult of AvatarPickerActivity.java, there is a possible way to access images belonging to other users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bypassing user interaction in phone account settings using duplicate registrations

In addOrReplacePhoneAccount of PhoneAccountRegistrar.java, there is a possible way to enable a phone account without user interaction due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mDesc

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mSound

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Native crash - com.google.android.projection.gearhead - signal 6 (SIGABRT)../libclang_rt.hwasan-aarch64-android.so (hwasan_tag_mismatch4)../libclang_rt.hwasan-aarch64-android.so (hwasan_tag_mismatch)../b...

In GetResolvedMethod of entrypoint_utils-inl.h, there is a possible use after free due to a stale cache. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

The "snoozeNotification" method of NotificationListenerService causes Android system to crash and cyclic reboot.

In setImpl of AlarmManagerService.java, there is a possible way to put a device into a boot loop due to an uncaught exception. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

App can redirect a call to different user without requiring INTERACT_ACROSS_USERS permission.

In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Pixploit] The binder bug

In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Child of b/237288416: [Out of Bounds Write in audioProfileToHal Function in HidlUtils.cpp in [email protected]]

In audioTransportsToHal of HidlUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in audioProfileToHal Function in HidlUtils.cpp in [email protected]]

In audioTransportsToHal of HidlUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in extract3GPPGlobalDescriptions Function in TextDescriptions.cpp in libstagefright_timedtext]

In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for...

Parcel reuse allows BAL bypass

In recycle of Parcel.java, there is a possible way to start foreground activity from background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: external/expat (addBinding)

In storeAtts of xmlparse.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Malicious code in a-special-day (RubyGems)

-= Per source details. Do not edit below this...

Bypass fix of CVE-2021-39807 : Disable secure nfc in guest user via SettingsSlice

In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in updateAudioTrackInfoFromESDS_MPEG4Audio Function in MPEG4Extractor.cpp in libmp4extractor]

In updateAudioTrackInfoFromESDS_MPEG4Audio of MPEG4Extractor.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for...

Task hijacking via relinquishTaskIdentity attribute - test

In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Proxy PAC URL can use several URL schemes, including file: and jar:

In get of PacProxyService.java, there is a possible system service crash due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for...

Malicious code in packs-a (npm)

-= Per source details. Do not edit below this...

Malicious code in a-constructor.js (npm)

-= Per source details. Do not edit below this...

[Crafted HFP Client Packet Causes Out-of-bounds Write in Bluetooth]

In bta_hf_client_handle_cind_list_item of bta_hf_client_at.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

EoP: Unsafe package check leading to LaunchAnyWhere in AppRestrictionsFragment

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Malicious code in file-q-and-a (npm)

-= Per source details. Do not edit below this...

Malicious code in watch-a-fast-x-2023online-watching-at-home (npm)

-= Per source details. Do not edit below this...