CA Technologies, A Broadcom Company Security Vulnerabilities

App Pin security issue exposes payment cards in Google Wallet to unauthorized payments

In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no...

Background Activity Launch via TYPE_PRESENTATION

In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Legacy apps bypass restrict to insert/update files to other app's external private dirs

In computeValuesFromData of FileUtils.java, there is a possible way to insert files to other apps' external private directories due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Ability to start arbitrary components in Launcher3 via Legacy Shortcut

In hasPermissionForActivity of PackageManagerHelper.java, there is a possible way to start arbitrary components due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Media resumption control could show up in another user and leak the owner's media data

In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User...

Android Vomit Report

In multiple locations, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bug 3 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass (OS Version = android 13) - 3. The YouTube application is not needed during provisioning/SUW/FRP

In onCreate of ManagePermissionsActivity.java, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges needed......

Intent to distrust a CA included in the Chrome Root Store

In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Detecting photos belonging to other users via MediaData artwork shown in SystemUI#MediaControlPanel

In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Device reset on cancelling provisioning

In decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java, there is a possible way to bypass factory reset protections due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

Displaying photos of other users via a notification with RemoteViews.setIcon/4

In visitUris of RemoteViews.java, there is a possible way to reveal images across users due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

Non-runtime permission flags aren't preserved upon APK updates

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way for an app to keep permissions that should be revoked due to incorrect permission flags cleared during an update. This could lead to local escalation of privilege with User execution privileges needed. User...

Html Injection in Vpn ConfirmDialog

In onCreate of ConfirmDialog.java, there is a possible way to connect to VNP bypassing user's consent due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

[EoP: Modify intent-flags on a immutable PendingIntent which could grant additional permission]

In getPendingIntentLaunchFlags of ActivityOptions.java, there is a possible elevation of privilege due to a confused deputy with no additional execution privileges needed. User interaction is not needed for...

One-time permissions can be held indefinitely due to activity manager bug

In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

[ESS-CWE-121] - [WearOS] NCC-E005047-NNW - Stack Buffer Overwrite in gatt_end_operation

In gatt_end_operation of gatt_utils.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Starting arbitrary Activities via SettingsHomepageActivity on behalf of uid 1000

In SettingsHomepageActivity.java, there is a possible way to launch arbitrary activities via Settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Linux kernel vulnerability advisory

In bigben_remove of hid-bigbenff.c, there is a possible race condition due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Enumerating other users' photos by posting a notification with portrait or landscape RemoteViews

In visitUris of RemoteViews.java, there is a possible leak of images between users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Starting Activities from background via Bubble Notification's fullscreenIntent even when the bubble notification is suppressed

In getFullScreenIntentDecision of NotificationInterruptStateProviderImpl.java, there is a possible activity launch while the app is in the background due to a BAL bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for....

Possible Vulnerability in Work Profile Provisioning

In onSetRuntimePermissionGrantStateByDeviceAdmin of AdminRestrictedPermissionsUtils.java, there is a possible way for the work profile to read SMS messages due to a permissions bypass. This could lead to local information disclosure with User execution privileges needed. User interaction is not...

[Out of Bounds Read in AnalyzeMfcResp in NxpMfcReader.cc in nfc_nci_nxp]

In AnalyzeMfcResp of NxpMfcReader.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Toasts can still be made touchable

In several functions of inputDispatcher.cpp, there is a possible way to make toasts clickable due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android Kernel msm gpu driver race condition double free

In adreno_set_param of adreno_gpu.c, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

TaskFragmentOrganizer.applySyncTransaction() allows leaking SurfaceControl of outer Task

In applySyncTransaction of WindowOrganizer.java, a missing permission check could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Isolated apps able to register a broadcast receiver

In registerReceiverWithFeature of ActivityManagerService.java, there is a possible way for isolated processes to register a broadcast receiver due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

[Out of Bounds Read in avdt_scb_hdl_pkt_no_frag Function in avdt_scb_act.cc in Bluetooth]

In avdt_scb_hdl_pkt_no_frag of avdt_scb_act.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Start foreground activity from background in PackageInstaller.Session#commit

In multiple functions of PackageInstallerService.java and related files, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is.....

Bypass BG-FGS while-in-use/start restrictions via PackageInstaller.Session#commit

In multiple methods of PackageInstallerSession.java, there is a possible way to start foreground services from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: Package zlib affected by CVE-2022-37434 affecting GitOnBorg::android::platform::external::angle

In inflate of inflate.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Registering BroadcastReceiver as another app through IApplicationThread of isolated external service

In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction...

[Out of Bounds Read in deserialize in ExecutionBurstServer.cpp in libneuralnetworks_common_defaults]

In deserialize of multiple files, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Auto grant permission after the permission is revoked without the user's awareness via PackageManager#addPermission

In addPermission of PermissionManagerServiceImpl.java , there is a possible failure to persist permission settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via WifiManager#addOrUpdatePasspointConfiguration with invalid PasspointConfiguration.mDecoratedIdentityPrefix

In validateForCommonR1andR2 of PasspointConfiguration.java, uncaught errors in parsing stored configs could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for...

Guest user can add a new user via Settings#AddSupervisedUserActivity

In AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

PendingIntent in Settings#MediaVolumePreferenceController can be hijacked

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in bta_av_rc_disc_done Function in bta_av_act.cc in Bluetooth]

In bta_av_rc_disc_done of bta_av_act.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bypassing check of isBluetoothShareUri to force Bluetooth app to grant its accessible ContentProviders' access

In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Possible EvilParcel bug in WorkSource class

In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ndk_sync_codec_fuzzer: Tag-mismatch in std::__1::__tree_iterator<std::__1::__value_type<std::__1::basic_string<char, st

In several functions of MediaCodec.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In pxa3xx_gcu_write of pxa3xx-gcu.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Reading contacts of other users using emergency contact settings

In onCreatePreferences of EditInfoFragment.java, there is a possible way to read contacts belonging to other users due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In move_page_tables of mremap.c, there is a possible memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

[Binder][bug] Incorrect bound check in `binder_transaction_buffer_release` in binder.c

In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Intent injection through Intent.toUri/Intent.parseUri mismatch

In getTrampolineIntent of SettingsActivity.java, there is a possible launch of arbitrary activity due to an Intent mismatch in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Regression] Uninstalling of packages by DPC does not work in T

In getStringsForPrefix of Settings.java, there is a possible prevention of package uninstallation due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth avrcp/avdtp heap overflow]

In avct_lcb_msg_asmbl of avct_lcb_act.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

OOB read in Bluetooth AVRC

In several functions that parse avrc response in avrc_pars_ct.cc and related files, there are possible out of bounds reads due to integer overflows. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mName

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Secret notifications are not hidden on lock screen

In shouldHideNotification of KeyguardNotificationVisibilityProvider.kt, there is a possible way to show hidden notifications due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...