CA Technologies, A Broadcom Company Security Vulnerabilities

SF Security Vulnerability, Privilege Escalation through transaction merging

In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

C2FuzzerVorbisDec: Heap-use-after-free in android::C2DmaBufAllocation::unmap

In various functions of C2DmaBufAllocator.cpp, there is a possible memory corruption due to a use after free. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for...

Path traversal in CallLogProvider

In openFile of CallLogProvider.java, there is a possible permission bypass due to a path traversal error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

CRLF Injection in KeyChainActivity can trick user into disclosing keys in KeyChain

In choosePrivateKeyAlias of KeyChain.java, there is a possible access to the user's certificate due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Double-free on OEM device, but seemingly in AOSP code (com.android.vending).

In multiple locations, there is a possible way to corrupt memory due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

EoP in shouldAbortBackgroundActivityStart of ActivityStarter.java

In AlarmManagerActivity of AlarmManagerActivity.java, there is a possible way to bypass background activity launch restrictions via a pendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Zygote command injection allows code execution as any app via WRITE_SECURE_SETTINGS or Signed Config

In multiple functions of ZygoteProcess.java, there is a possible way to achieve code execution as any app via WRITE_SECURE_SETTINGS due to unsafe deserialization. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Reveal audios across users via com.android.server.notification.NotificationManagerService.mService.updateNotificationChannelFromPrivilegedListener

In updateNotificationChannelFromPrivilegedListener of NotificationManagerService.java, there is a possible cross-user data leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Missing permission checks in CompanionDeviceShellCommand.java

In CompanionDeviceManagerService.java, there is a possible way to pair a companion device without user acceptance due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

App can continue to fill input fields in the device even if user has not selected it as default Autofill service app.

In newServiceInfoLocked of AutofillManagerServiceImpl.java, there is a possible way to hide an enabled Autofill service app in the Autofill service settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User...

Disable show media on lock screen, but still accessible via pull down notificaion

In multiple locations, there is a possible information leak due to a missing permission check. This could lead to local information disclosure exposing played media with no additional execution privileges needed. User interaction is not needed for...

statsevent_fuzzer: Heap-buffer-overflow in AStatsEvent_addBoolAnnotation

In increment_annotation_count of stats_event.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to bypassing snoozed notifications limit number

In multiple functions of SnoozeHelper.java, there is a possible way to cause a boot loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Android frameworok sharedUserMaxSdkVersion attribute can make app become privileged app.

In assertPackageWithSharedUserIdIsPrivileged of InstallPackageHelper.java, there is a possible execution of arbitrary app code as a privileged app due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is.....

Privacy Issue: Platform Health Connect

In multiple functions of healthconnect, there is a possible leakage of exercise route data due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Privilege Escalation Vulnerability in AccountManager Due to Persistent Elevated Application Priority

In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

packages.list newline injection allows run-as as any app from ADB on Android 12+13

In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enumerating other users' contact photos via CustomDescription templateUpdates shown in AutoFillService's SaveUi

In applyCustomDescription of SaveUi.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Green indicator permanently on

In removePersistentDot of SystemStatusAnimationSchedulerImpl.kt, there is a possible race condition due to a logic error in the code. This could lead to local escalation of privilege that fails to remove the persistent dot with no additional execution privileges needed. User interaction is not...

Screen capture policy overriden when there is secondary user on the device

In multiple files, there is a possible way to capture the device screen when disallowed by device policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Camera - Access to user location without any permissions

In shouldUseNoOpLocation of CameraActivity.java, there is a possible confused deputy due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Permanent denial of service via PackageManager#setPackagesSuspended with invalid SuspendParams.launcherExtras

In saveToXml of PersistableBundle.java, invalid data could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in BTM_BlePeriodicSyncSetInfo in btm_ble_gap.cc in libbt-stack]

In multiple functions of btm_ble_gap.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Potential oob read due to missing length check in BleAdvertiserInterfaceImpl::StartAdvertisingSet() of bluetooth stack

In parse_gap_data of utils.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

[Bug 2/2] Potential oob write due to missing bounds check in LeAudioBroadcasterImpl::CreateAudioBroadcast() of bluetooth stack

In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Rust pvmfw fails to randomize guest KASLR

In modify_for_next_stage of fdt.rs, there is a possible way to render KASLR ineffective due to improperly used crypto. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Notification.WearableExtender can contains actions referred to unauthorized icon

In visitUris of Notification.java, there is a possible way to display images from another user due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Reveal images across users via TelecomManager#registerPhoneAccount

In registerPhoneAccount of TelecomServiceImpl.java, there is a possible way to reveal images from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Credential Manager not working on secondary user

In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

mtp_packet_fuzzer: Heap-buffer-overflow in android::MtpPacket::setContainerCode

In multiple functions of MtpPacket.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

ADP Grant - Detecting photos belonging to other users via SystemUI Controls with ThumbnailTemplate

In multiple locations, there is a possible cross-user read due to a confused deputy. This could lead to local information disclosure of photos or other images with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Bypass BG-FGS restrictions by retrieving own notifications' public versions and firing their PendingIntents

In sanitizeSbn of NotificationManagerService.java, there is a possible way to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

SQL Injection in ContactsProvider#query via URI PathSegments

In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

read&write private files of apps without any permission

In multiple locations, there is a possible way to access screenshots due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' contact photos via dialog header presentation shown in AutoFillService's DialogFillUi

In setHeader of DialogFillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting photos belonging to other users by posting a messaging style notification with remote input history items

In visitUris of Notification.java, there is a possible bypass of user profile boundaries due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Security vulnerability in WebP

In BuildHuffmanTable of huffman_utils.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' contact photos via CustomDescription shown in AutoFillService's SaveUi

In applyCustomDescription of SaveUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

mtp_host_property_fuzzer: Segv on unknown address in android::MtpProperty::~MtpProperty

In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth][GATT] build_read_multi_rsp integer overflow

In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth][GATT] Use-After-Free in function `gatt_process_prep_write_rsp`.

In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...

[Bug 7 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass (OS Version = android 13) - 7. Targeting the configuring of the lock screen itself due to App permissions

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed......

ADP Grant - Enumerating other users' photos by posting a notification with mSizedRemoteViews

In visitUris of RemoteViews.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

TOFU: An impostor server attack possible because the Root CA is not verified initially

In isServerCertChainValid of InsecureEapNetworkHandler.java, there is a possible way to trust an imposter server due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting low resolution pictures of other users’ by StatusHints shown in in-call UI

In multiple functions of StatusHints.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Microphone indicator in status bar didn't show when using microphone in WhatsApp

In multiple locations, there is a possible way to obscure the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

TOFU behavior for enterprise in Android 13 sends the credential first then prompts TOFU, allowing for trivial credential theft.

In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via WifiManager#addNetworkSuggestions

In add of WifiNetworkSuggestionsManager.java, there is a possible way to trigger permanent DoS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Improve one-time permissions handling and revoking mechanism to prevent security issues

In multiple functions of OneTimePermissionUserManager.java, there is a possible one-time permission retention due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

[Boreal S] [ADT3 T] YT able to record from Remote Submix when global mic mute toggle is enabled

In openMmapStream of AudioFlinger.cpp, there is a possible way to record audio without displaying the microphone privacy indicator due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...