CA Technologies, A Broadcom Company Security Vulnerabilities

Bypassing user interaction in phone account settings using duplicate registrations

In addOrReplacePhoneAccount of PhoneAccountRegistrar.java, there is a possible way to enable a phone account without user interaction due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mDesc

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mSound

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Native crash - com.google.android.projection.gearhead - signal 6 (SIGABRT)../libclang_rt.hwasan-aarch64-android.so (hwasan_tag_mismatch4)../libclang_rt.hwasan-aarch64-android.so (hwasan_tag_mismatch)../b...

In GetResolvedMethod of entrypoint_utils-inl.h, there is a possible use after free due to a stale cache. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

The "snoozeNotification" method of NotificationListenerService causes Android system to crash and cyclic reboot.

In setImpl of AlarmManagerService.java, there is a possible way to put a device into a boot loop due to an uncaught exception. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

App can redirect a call to different user without requiring INTERACT_ACROSS_USERS permission.

In onCallRedirectionComplete of CallsManager.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Pixploit] The binder bug

In binder_inc_ref_for_node of binder.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Child of b/237288416: [Out of Bounds Write in audioProfileToHal Function in HidlUtils.cpp in [email protected]]

In audioTransportsToHal of HidlUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in audioProfileToHal Function in HidlUtils.cpp in [email protected]]

In audioTransportsToHal of HidlUtils.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Parcel reuse allows BAL bypass

In recycle of Parcel.java, there is a possible way to start foreground activity from background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: external/expat (addBinding)

In storeAtts of xmlparse.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in extract3GPPGlobalDescriptions Function in TextDescriptions.cpp in libstagefright_timedtext]

In extract3GPPGlobalDescriptions of TextDescriptions.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure from the media server with no additional execution privileges needed. User interaction is not needed for...

Bypass fix of CVE-2021-39807 : Disable secure nfc in guest user via SettingsSlice

In setChecked of SecureNfcPreferenceController.java, there is a missing permission check. This could lead to local escalation of privilege from the guest user with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in updateAudioTrackInfoFromESDS_MPEG4Audio Function in MPEG4Extractor.cpp in libmp4extractor]

In updateAudioTrackInfoFromESDS_MPEG4Audio of MPEG4Extractor.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for...

Task hijacking via relinquishTaskIdentity attribute - test

In Task.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Proxy PAC URL can use several URL schemes, including file: and jar:

In get of PacProxyService.java, there is a possible system service crash due to improper input validation. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for...

Malicious code in vendored-a (npm)

-= Per source details. Do not edit below this...

EoP: Unsafe package check leading to LaunchAnyWhere in AppRestrictionsFragment

In assertSafeToStartCustomActivity of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Crafted HFP Client Packet Causes Out-of-bounds Write in Bluetooth]

In bta_hf_client_handle_cind_list_item of bta_hf_client_at.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Malicious code in a-special_day (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in a-stupid_test_gem (RubyGems)

-= Per source details. Do not edit below this...

[There are two problems with killBackgroundProcesses in ActivityManager]

In multiple functions of ActivityManagerService.java, there is a possible way to escape Google Play protection due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enumerate photos across users by SystemUI media resumption

In loadMediaDataInBgForResumption of MediaDataManager.kt, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Bypass access restriction on Android/data/directory and all subdirectories

In queryChildDocuments of FileSystemProvider.java, there is a possible way to request access to directories that should be hidden due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

Starting Activity from background by returning null in TileService#onBind after its custom tile removed

In onNullBinding of TileLifecycleManager.java, there is a possible way to launch an activity from the background due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enumerating other users' photos by posting an important conversation Notification with a shortcut icon

In fixUpIncomingShortcutInfo of ShortcutService.java, there is a possible way to view another user's image due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

AccountManagerService.checkKeyIntentParceledCorrectly update reverts protection against write-in-createFromParcel

In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to launch arbitrary activities using system privileges due to Parcel Mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed...

Local persistent denial of service when setting PackageManager.GET_SIGNATURES

In multiple locations, there is a possible way to crash multiple system services due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Crash in < system_server >, HWAddressSanitizer: tag-mismatch on address 0x0040bee48a54 at pc 0x0071970b9564 READ of size 2 at 0x0040bee48a54 tags: 8c/12 (ptr/mem) in thread T192

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Background Activity Launch via TYPE_PRESENTATION

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Media resumption control could show up in another user and leak the owner's media data

In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User...

ADP Grant - Detecting photos belonging to other users via MediaData artwork shown in SystemUI#MediaControlPanel

In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Displaying photos of other users via a notification with RemoteViews.setIcon/4

In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

Non-runtime permission flags aren't preserved upon APK updates

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User...

[EoP: Modify intent-flags on a immutable PendingIntent which could grant additional permission]

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' photos by posting a notification with portrait or landscape RemoteViews

In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Starting Activities from background via Bubble Notification's fullscreenIntent even when the bubble notification is suppressed

In getFullScreenIntentDecision of NotificationInterruptStateProviderImpl.java, there is a possible activity launch while the app is in the background due to a BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for....

Possible Vulnerability in Work Profile Provisioning

In onSetRuntimePermissionGrantStateByDeviceAdmin of AdminRestrictedPermissionsUtils.java, there is a possible way for the work profile to read SMS messages due to a permissions bypass. This could lead to local information disclosure with User execution privileges needed. User interaction is not...

Toasts can still be made touchable

In several functions of inputDispatcher.cpp, there is a possible way to make toasts clickable due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

TaskFragmentOrganizer.applySyncTransaction() allows leaking SurfaceControl of outer Task

In applySyncTransaction of WindowOrganizer.java, a missing permission check could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Isolated apps able to register a broadcast receiver

In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

Start foreground activity from background in PackageInstaller.Session#commit

In multiple functions of PackageInstallerService.java and related files, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is.....

Bypass BG-FGS while-in-use/start restrictions via PackageInstaller.Session#commit

In multiple methods of PackageInstallerSession.java, there is a possible way to start foreground services from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Registering BroadcastReceiver as another app through IApplicationThread of isolated external service

In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction...

[Out of Bounds Write in bta_av_rc_disc_done Function in bta_av_act.cc in Bluetooth]

In bta_av_rc_disc_done of bta_av_act.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Silently retain Accessibility Service after package update

In updateServicesLocked of AccessibilityManagerService.java, there is a possible way for an app to be hidden from the Setting while retaining Accessibility Service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed....

Leak contact image data across user boundaries through Notification

In multiple locations, there is a possible way to reveal images across users data due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[STS SDK Grant] Create and persist a new secondary user without any restrictions via a super large seed account type

In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Enable NotificationListenerService in the work profile via setDeviceProfile#AssociationRequest.DEVICE_PROFILE_WATCH

In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Out of Bounds Read in WT_VoiceGain in eas_wtengine.c]

In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for...