CA Technologies, A Broadcom Company Security Vulnerabilities

Legacy apps bypass restrict to insert/update files to other app's external private dirs

In extractRelativePath of FileUtils.java, there is a possible way to access files in a directory belonging to other applications due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Security flaw in WI-FI reset settings]

In factoryReset of WifiServiceImpl.java, there is a possible way to preserve WiFi settings due to a logic error in the code. This could lead to local non-security issues across resets with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in register_notification_rsp in btif_rc.cc in libbtif]

In register_notification_rsp of btif_rc.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in nci_snd_set_routing_cmd in nci_hmsgs.cc in libnfc-nci]

In nci_snd_set_routing_cmd of nci_hmsgs.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...

Privilege escalation may be achieved by exploiting a buffer overflow in the implementation of USB accessory gadget.

In acc_ctrlrequest_composite of f_accessory.c, there is a possible out of bounds write due to a missing bounds check. This could lead to physical escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Out of Bounds Read and Write in configureProducer in C2BqBuffer.cpp in libcodec2_vndk]

In Import of C2SurfaceSyncObj.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for...

Vulnerability: Package zlib affected by CVE-2022-37434 affecting GitOnBorg::android::platform::external::zlib

In inflate of inflate.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Potential Intent Redirection issue in SettingsActivity of Settings app

In launchDeepLinkIntentToRight of SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Google Pixel Smartphone [FRP]Factory Reset Protection bypass due to share button (OS Version = android 13)

In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to bypass factory reset protection due to incorrect UI being shown prior to setup completion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Microphone privacy indicator can be bypassed by any app

In resolveAttributionSource of ServiceUtilities.cpp, there is a possible way to disable the microphone privacy indicator due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Delete arbitrary files with system permissions via DevicePolicyManager#clearApplicationUserData

In clearApplicationUserData of ActivityManagerService.java, there is a possible way to remove system files due to a path traversal error. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Permanent denial of service via NotificationManager#addAutomaticZenRule

In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In multiple functions of many files, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via AutomaticZenRule#configurationActivity

In many functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via AutomaticZenRule#conditionId

In many functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Binder VMA management security issues

In binder_vma_close of binder.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

: wifi: cfg80211: avoid nontransmitted BSS list corruption

In cfg80211_add_nontrans_list of scan.c, there is a possible way to corrupt a list due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

: fix u8 overflow in cfg80211_update_notlisted_nontrans

In cfg80211_update_notlisted_nontrans of scan.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Speculative Target Reuse Attacks

In specific ARM processors, there is a possible side-channel information leak due to a hardware flaw. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[PermissionController#ReviewPermissionsActivity could be Overlaid to Trick User into Granting Permission to Apps with API level lower than 23]

In onCreate of ReviewPermissionsActivity.java, there is a possible way to grant permissions for a separate app with API level < 23 due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

[INTERNAL SHADOW][Zebra] FLAG_SECURE is not included in KeyGaurd and Set Pin/Password screen

In applyKeyguardFlags of NotificationShadeWindowControllerImpl.java, there is a possible way to observe the user's password on a secondary display due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is...

Overwrite/Delete arbitrary files with system permissions via DevicePolicyManager#setApplicationRestrictions

In writeApplicationRestrictionsLAr of UserManagerService.java, there is a possible overwrite of system files due to a path traversal error. This could lead to local denial of service with System execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannelGroup#mDescription

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannelGroup#mId

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mConversationId

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mVibration

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Race Condition in setSecurityLevel Function in DrmPlugin.cpp in [email protected]]

In getSecurityLevel and setSecurityLevel of DrmPlugin.cpp, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Delivery of new intents to protected activities via Activity#navigateUpTo() API

In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code. This could lead to local escalation of privilege if the targeted app has an intent trampoline, with no additional execution privileges needed. User interaction is not...

[Out of Bounds Write in phNxpNciHal_write_unlocked Function in phNxpNciHal.cc in nfc_nci_nxp]

In phNxpNciHal_write_unlocked of phNxpNciHal.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Path traversal in MmsProvider#update leading to permanent DoS

In update of MmsProvider.java, there is a possible constriction of directory permissions due to a path traversal error. This could lead to local denial of service of SIM recognition with no additional execution privileges needed. User interaction is needed for...

[Android 13 Beta] [Heap Use After Free in PAN_WriteBuf Function in pan_api.cc in libbt-stack]

In PAN_WriteBuf of pan_api.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

[local root on the latest Pixel6]

In io_match_task of io_uring.c, there is a possible arbitrary code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bypass fix of CVE-2022-20143: Bypass zen rule limit with different configuration Activity

In addAutomaticZenRule of ZenModeHelper.java, there is a possible permanent degradation of performance due to resource exhaustion. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for...

Vulnerability: external/expat (bufferSize)

In XML_GetBuffer of xmlparse.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Make bluetooth discoverable via Settings#SliceDeeplinkHomepageActivity in devices supporting split functionality

In SettingsActivity.java, there is a possible way to make a device discoverable over Bluetooth, without permission or user interaction, due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Path Traversal in MediaProvider#delete

In checkAccess of MediaProvider.java, there is a possible file deletion due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Privilege Escalation in com.android.settings.DefaultRingtonePreference and com.android.dialer.app.settings.DefaultRingtonePreference

In onSaveRingtone of DefaultRingtonePreference.java, there is a possible inappropriate file read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Built-In VPN "Magically" Disabled Itself When Entering WiFi

In onDefaultNetworkChanged of Vpn.java, there is a possible way to disable VPN due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[surfaceflinger EventThreadConnection::stealReceiveChannel fdsan crash]

In stealReceiveChannel of EventThread.cpp, there is a possible way to interfere with process communication due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Exploiting BLURtooth [CVE-2020-15802] on a Pixel 6

In btif_dm_auth_cmpl_evt of btif_dm.cc, there is a possible vulnerability in Cross-Transport Key Derivation due to Weakness in Bluetooth Standard. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Malicious code in a-stupid-test_gem (RubyGems)

-= Per source details. Do not edit below this...

Leak contact image data across user boundaries through Notification

In multiple locations, there is a possible way to reveal images across users data due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[There are two problems with killBackgroundProcesses in ActivityManager]

In multiple functions of ActivityManagerService.java, there is a possible way to escape Google Play protection due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Silently retain Accessibility Service after package update

In updateServicesLocked of AccessibilityManagerService.java, there is a possible way for an app to be hidden from the Setting while retaining Accessibility Service due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed....

[STS SDK Grant] Create and persist a new secondary user without any restrictions via a super large seed account type

In multiple methods of UserManagerService.java, there is a possible failure to persist or enforce user restrictions due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Enable NotificationListenerService in the work profile via setDeviceProfile#AssociationRequest.DEVICE_PROFILE_WATCH

In multiple locations, there is a possible notification listener grant to an app running in the work profile due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

[Out of Bounds Read in WT_VoiceGain in eas_wtengine.c]

In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for...

Bypass DISALLOW_ADD_WIFI_CONFIG to connect to an untrusted Wi-Fi network by WifiDialogActivity

In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in kDescribeHdr10PlusInfoIndex case in getConfig in SoftVideoDecoderOMXComponent.cpp in libstagefright_softomx]

In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a missing validation check. This could lead to a local non-security issue with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read and Write in onQueueFilled in outQueue in libstagefright_soft_mpeg4dec]

In onQueueFilled of SoftMPEG4.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...