CA Technologies, A Broadcom Company Security Vulnerabilities

ADP Grant - Enumerating other users' photos by providing PrinterDiscoverySession with a custom printer icon

In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Unauthenticated Bluetooth keystroke-injection in Pixel 7 running AP11.231117.006

In access_secure_service_from_temp_bond of btm_sec.cc, there is a possible way to achieve keystroke injection due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: Information Leak in Print Spooler [#b/277961001 H]

In multiple files, there is a possible way that trimmed content could be included in PDF output due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Dataset.mInlinePresentation` can contains cross user slice, which will lead to cross user image render

In applyCustomDescription of SaveUi.java, there is a possible way to view images belonging to a different user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in attp_build_read_by_type_value_cmd in att_protocol.cc in libbt-stack]

In attp_build_read_by_type_value_cmd of att_protocol.cc , there is a possible out of bounds write due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

[Unexpected] Setup flow goes to LS after SIM card was inserted

In showNextSecurityScreenOrFinish of KeyguardSecurityContainerController.java, there is a possible way to access the lock screen during device setup due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction...

Launch Anywhere via Screen Saver on Pixel 6 Pro with Android 12L

In convertToComponentName of DreamService.java, there is a possible way to launch arbitrary protected activities due to intent redirection. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

color_conversion_fuzzer: Heap-buffer-overflow in android::ColorConverter::convertYUV420Planar16ToY410

In convertYUV420Planar16ToY410 of ColorConverter.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Record audio foreground requirement permissions bypass

In OpRecordAudioMonitor::onFirstRef of AudioRecordClient.cpp, there is a possible way to record audio from the background due to a missing flag. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Potential oob read due to missing bounds check in BleAdvertiserInterfaceImpl::SetPeriodicAdvertisingData() of bluetooth stack

In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

[Bluetooth][BTM] BTM_BleVerifySignature side-channel attack possibility

In BTM_BleVerifySignature of btm_ble.cc, there is a possible way to bypass signature validation due to side channel information disclosure. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth][A2DP] a2dp_vendor_opus_decoder_decode_packet OOB Access

In a2dp_vendor_opus_decoder_decode_packet of a2dp_vendor_opus_decoder.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[STS SDK Grant]Important conversation messages could leak to another user profile due to incorrect request of pin people space widget by SystemUI

In mOnDone of NotificationConversationInfo.java, there is a possible way to access app notification data of another user due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Keystroke-injection into Pixel 4a (5G) over unauthenticated Bluetooth(All Pixel devices are impacted)

In multiple locations, there is a possible way to inject keystrokes due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

gpu_service_fuzzer: Heap-use-after-free in void* std::__1::__thread_proxy<std::__1::tuple<std::__1::unique_ptr<std::__1::__

In GpuService of GpuService.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth][GATT] build_read_multi_rsp underflow lead to OOB Write

In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...

LaunchAnyWhere in SystemUI Screenshot

In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in convertSubgraphFromHAL in ShimConverter.cpp in libneuralnetworks_shim_static]

In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Bug 4 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass from APP permission (OS Version = android 13) - 4. The Chrome application is not needed during provisioning/SUW/FRP

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed......

there is a possible constriction of directory permissions due to path prefix verification error, resulting in DOS of some parts-related function.

In update of MmsProvider.java, there is a possible way to change directory permissions due to a path traversal error. This could lead to local denial of service of SIM recognition with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting photos belonging to other users via SystemUI QuickAccessWalletTile and WalletView

In multiple locations, there is a possible bypass of a multi user security boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting photos belonging to other users by posting a notification with a public version shown on the lockscreen

In visitUris of Notification.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

Privilege Escalation in com.android.server.am.ActivityManagerService#grantUriPermission

In readFrom of Uri.java, there is a possible bad URI permission grant due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In multiple functions of rmap.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

Android PIP Mode can cause restriction bypass

In updatePictureInPictureMode of ActivityRecord.java, there is a possible bypass of background launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Persisting existing notification access after reboot by posting a conversation notification with a shortcut with a super large id

In ShortcutInfo of ShortcutInfo.java, there is a possible way for an app to retain notification listening access due to an uncaught exception. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

WhatsApp able to use microphone even after permissions revoked & app force stop in Android 13 Pixel 6

In startInput of AudioPolicyInterfaceImpl.cpp, there is a possible way of erroneously displaying the microphone privacy indicator due to a race condition. This could lead to false user expectations. User interaction is needed for...

[AOSP Bluetooth Use after free-bta_hf_client_sdp.cc-bta_hf_client_do_disc]

In sdpu_build_uuid_seq of sdp_discovery.cc, there is a possible out of bounds write due to a use after free. This could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via JobScheduler#schedule with invalid NetworkCapabilities.mTransportTypes

In several methods of JobStore.java, uncaught exceptions in job map parsing could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for...

BR/EDR link key downgrades

In btm_sec_encrypt_change of btm_sec.cc, there is a possible way to downgrade the link key type due to improperly used crypto. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Persisting existing notification access after reboot via a malformed notification listener with super large component name enabled

In onCreate of NotificationAccessSettings.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Reading other users' image files using ChooserActivity image preview

In multiple functions of ChooserActivity.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[ADP Grant] System Tracing can be used even if DISALLOW_DEBUGGING_FEATURES has been applied (MainActivity)

In multiple functions of multiple files, there is a possible way to bypass the DISALLOW_DEBUGGING_FEATURES restriction for tracing due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for.....

Persisting notification access after reboot by notifying and snoozing notifications with super large tag

In several functions of SnoozeHelper.java, there is a possible way to grant notifications access due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Cross-user notification access type control using undocumented intent extras

In retrieveAppEntry of NotificationAccessDetails.java, there is a missing permission check. This could lead to local escalation of privilege across user boundaries with no additional execution privileges needed. User interaction is not needed for...

EFI Linux/arm64 code can be subverted to overwrite the shadow call stack pointer

In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

libsensorserviceaidl_fuzzer: Heap-buffer-overflow in android::String8::setTo

In unflattenString8 of Sensor.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Investigate Security Vulnerability of getPhysicalDisplayToken

In sanitize of LayerState.cpp, there is a possible way to take over the screen display and swap the display content due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[2 of 2] App can access microphone in a foreground service without declaring microphone foreground service type as an attribute of <service> component. [ 2. android.telecom.CallScreeningService service continuously recording]

In onNullBinding of CallScreeningServiceHelper.java, there is a possible way to record audio without showing a privacy indicator due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Native crash - AID_BLUETOOTH - signal 11 (SIGSEGV)../libbluetooth_jni.so (bluetooth::activity_attribution::AttributionProcessor::OnWakelockReleased)../libbluetooth_jni.so (bluetoo...

In OnWakelockReleased of attribution_processor.cc, there is a use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Modifying other users' app locales using AppLocalePickerActivity in Settings

In canDisplayLocalUi of AppLocalePickerActivity.java, there is a possible way to change system app locales due to a missing permission check. This could lead to local denial of service across user boundaries with no additional execution privileges needed. User interaction is not needed for...

Triage/rating request for io_uring upstream patch

In static initializers of io_uring.c, there is an insecure default value. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

Applications maintain their permission across different targeted sdks

In onPackageAddedInternal of PermissionManagerService.java, there is a possible way to silently grant a permission after a Target SDK update due to a permissions bypass. This could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution...

[Out of Bounds Write in avdt_scb_hdl_write_req in avdt_scb_act.c in libbt-stack]

In avdt_scb_hdl_write_req of avdt_scb_act.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Unable to share/attach screenshot to Gmail in work profile

In onTargetSelected of ResolverActivity.java, there is a possible way to share a wrong file due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Backport: FreeType Heap buffer overflow read

In read_paint of ttcolr.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Bug 2 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass (OS Version = android 13) - 2. Enabling voice setup adds the green audio-recording privacy indicator

In onParentVisible of HeaderPrivacyIconsController.kt, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges.....

Delete SoftAp configuration on network reset

In multiple files, there is a possible way to preserve WiFi settings due to residual data after a reset. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

[Out of Bounds Read in dropFramesUntilIframe Function in AAVCAssembler.cpp in libstagefright_rtsp]

In dropFramesUntilIframe of AAVCAssembler.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In multiple functions of extents.c, there is a possible out of bounds read due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...