CA Technologies, A Broadcom Company Security Vulnerabilities

Start foreground activity from background via LocationManager#requestFlush

In deliverOnFlushComplete of LocationProviderManager.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for....

[INTERNAL SHADOW][Samsung] Instrumentation abusing apps from the Play Store

In startInstrumentation of ActivityManagerService.java, there is a possible way to keep the foreground service alive while the app is in the background. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Google Pixel Smartphone [FRP]Factory Reset Protection bypass due to share button (OS Version = android 13)

In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to bypass factory reset protection due to incorrect UI being shown prior to setup completion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Mainline Fix] AttributionSource may incorrectly validate the calling uid and pid depending on usage

In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bypass of overlay protection in landscape mode

In hide of WindowState.java, there is a possible way to bypass tapjacking/overlay protection by launching the activity in portrait mode first and then rotating it to landscape mode. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed...

[Platform Fix] AttributionSource may incorrectly validate the calling uid and pid depending on usage

In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Potential DoS attack through shortcut reporting.

In multiple functions of ShortcutService.java, there is a possible persistent DOS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[U] [Coexistence] [Regression] Fix certain policies not being migrated properly on policy engine migration

In multiple locations, there is a possible way in which policy migration code will never be executed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux Kernel Race Condition leads to UAF in Unix Domain Socket and causes LPE in Android

In unix_stream_sendpage of af_unix.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to a huge amount of scheduled alarms

In multiple functions of SnoozeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to improper input validation in AppOpsService

In multiple functions of AppOpsService.java, there is a possible way to saturate the content of /data/system/appops_accesses.xml due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in internalGetVp8Params in SoftVP8Encoder.cpp in libstagefright_soft_vpxenc]

In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in attp_build_value_cmd in libbt-stack]

In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Start foreground activity from background in ActivityTaskManagerService#startNextMatchingActivity

In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User...

[Binder MemoryHeapBase] - Need to SEAL file size on memfd mapped region

In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enable notification listener services in the work profile via CompanionDeviceManager#requestNotificationAccess

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User...

[Bug 1/2] Potential oob read due to missing bounds check in LeAudioBroadcasterImpl::CreateAudioBroadcast() of bluetooth stack

In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in BTM_BlePeriodicSyncTransfer in btm_ble_gap.cc in libbt-stack]

In multiple functions of btm_ble_gap.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Crash in com.google.android.bluetooth - HWAddressSanitizer: tag-mismatch on address 0x004a0315be00 at pc 0x007319f2eda8

In callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...

incidentd_service_fuzzer: Abrt in android::os::incidentd::IncidentService::onTransact

In onTransact of IncidentService.cpp, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enumerating other users' photos by posting important conversation Notifications with a message sender person

In visitUris of Notification.java, there is a possible cross-user media read due to Confused Deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Granting access of protected ContentProviders on behalf of Launcher

In hasPermissionForActivity of PackageManagerHelper.java, there is a possible URI grant due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

use-after-free in libstagefright_httplive

In multiple functions of MetaDataBase.cpp, there is a possible UAF write due to a race condition. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

mtp_handle_fuzzer: Heap-use-after-free in android::MtpFfsHandle::doSendEvent

In multiple functions of MtpFfsHandle.cpp , there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

rtp_writer_fuzzer: Segv on unknown address in android::ARTPWriter::~ARTPWriter

In ARTPWriter of ARTPWriter.cpp, there is a possible use after free due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bug 5 of 7] Intent URI/CATEGORY_BROWSABLE permits FRP Bypass by leveraging browser applications

In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

setWapiPassphrase#WifiNetworkSuggestion$Builder call allows overflowing the system configuration file that leads to the permanent DoS

In validatePassword of WifiConfigurationUtil.java, there is a possible way to get the device into a boot loop due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' contact photos via header or footer presentation shown in AutoFillService's FillUi

In FillUi of FillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' contact photos via Dataset dialog presentation shown in AutoFillService's DialogFillUi

In multiple functions of DialogFillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Another Background starting activities restrictions bypass in CallRedirectionService

In onBindingDied of CallRedirectionProcessor.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege and background activity launch with no additional execution privileges needed. User interaction is not needed for...

Privilege Escalation in com.android.providers.media.MediaProvider#DatabaseUtils.bindSelection

In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Leak of cross-user contact data in FDN contact importation in Telephony

In multiple locations, there is a possible way to import contacts belonging to other users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth][GATT] gatts_process_* functions OOB write

In eatt_l2cap_reconfig_completed of eatt_impl.h, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

EoP: Default IME to Device Administrator

In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check. This could lead to local denial of service (factory reset or continuous locking) with no additional execution privileges needed. User interaction is not needed for...

Hide a notification listener service via excessively long component names

In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bug 6 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass from app permission (OS Version = android 13) - 6. Targeting the smart-lock related process that ultimately leads to configuring the lock screen

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed......

[Out of Bounds Read in outputs in parseInputs in ShimPreparedModel.cpp in libneuralnetworks_shim_static]

In parseInputs of ShimPreparedModel.cpp, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

ActivityOptions#makeLaunchIntoPip bypass FG-BG Restriction

In startActivityInner of ActivityStarter.java, there is a possible way to launch an activity into PiP mode from the background due to BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Heap buffer overflow in FreeType

In multiple locations, there is a possible code execution due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

an OOB write in resetLppTransposer Function in lpp_tran.cpp

In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for...

Bypass DISALLOW_CONFIG_LOCATION to enable/disable wifi scanning via slice URI

In getAvailabilityStatus of WifiScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

Integer overflow in SkSLVMCodeGenerator

In multiple functions of SkSLFunctionDefinition.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged app with no additional execution privileges needed. User interaction is needed for...

[2023-01-30] Android Enterprise (AFW) allows non-approved apks to be sideloaded into the work profile

In updateSettingsInternalLI of InstallPackageHelper.java, there is a possible way to sideload an app in the work profile due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Security - [Out of Bounds Write in rw_i93_send_to_upper in rw_i93.cc in libnfc-nci]

In rw_i93_send_to_upper of rw_i93.cc, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to OutOfMemoryError while system is turning on

In validateForCommonR1andR2 of PasspointConfiguration.java, there is a possible way to inflate the size of a config file with no limits due to a buffer overflow. This could lead to local denial of service with no additional execution privileges needed. User interaction is needed for...

Misleading UI design: Settings -> VPN

In onResume of AppManagementFragment.java, there is a possible way to prevent users from forgetting a previously connected VPN due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[ADP Grant] Guest user can see the trace logs recorded by Admin user by MainActivity

In multiple files, there is a possible way to access traces in the dev mode due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Control activityOptions via AddAccountSettings due to unsafe deserialization

In run of multiple files, there is a possible escalation of privilege due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[ADP Grant] System Tracing can be used even if DISALLOW_DEBUGGING_FEATURES has been applied (MainTvActivity)

In various functions of various files, there is a possible way to bypass the DISALLOW_DEBUGGING_FEATURES restriction for tracing due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Overlay Over SystemUI Dialogs

In multiple buttons of grant_permissions.xml, there is a possible way to bypass permissions dialogs due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...