CA Technologies, A Broadcom Company Security Vulnerabilities

ndk_mediamuxer_fuzzer: Heap-use-after-free in android::MediaAppender::init

In setDataSource of initMediaExtractor.cpp, there is a possibility of arbitrary code execution due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Bypass of device carrier restrictions (OS Version = android 12)

In deletePackageVersionedInternal of DeletePackageHelper.java, there is a possible way to bypass carrier restrictions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android lock screen sensitive notification bypass

In updatePublicMode of NotificationLockscreenUserManagerImpl.java, there is a possible way to reveal sensitive notifications on the lockscreen due to an incorrect state transition. This could lead to local information disclosure with physical access required and an app that runs above the...

Enabling managed connection service without user interaction using tapjacking in Telecomm

In onCreate of EnableAccountPreferenceActivity.java, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

Broken Permission Check

In deletePackageX of DeletePackageHelper.java, there is a possible way for a Guest user to reset pre-loaded applications for other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for.....

[Out of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in BluetoothOut of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in BluetoothOut of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in Bluetooth]

In BNEP_ConnectResp of bnep_api.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

Investigate how Phone Services is breaking through AppOps restrictions

In sOpAllowSystemRestrictionBypass of AppOpsManager.java, there is a possible leak of location information due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

locale_fuzzer: Tag-mismatch in _getVariant

In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via NotificationManager#createNotificationChannel

In createNotificationChannel of NotificationManager.java, there is a possible way to make the device unusable and require factory reset due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Apps can get the ACTIVITY_RECOGNITION runtime permission silently via app upgrade on Q and above

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Unlocking SIM PUK result in unlocking phone directly

In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in process_service_search_rsp Function in sdp_discoverty.cc in Bluetooth]

In process_service_search_rsp of sdp_discovery.cc, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

LazyValue in Bundle read with ReadWriteHelper may use Parcel after Parcel.recycle()

In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[The use of BD_ADDR in BR/EDR as the identity address of BLE makes the dual-stack trackable]

In bta_dm_remove_device of bta_dm_act.cc, there is a possible way for a BT device to receive a long term trackable identifier due to a permissions bypass. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

libfdt_fuzzer: Heap-buffer-overflow in fdt_next_tag

In fdt_next_tag of fdt.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

Presentation can make the app start activities in the background

In createPresentationContext of Presentation.java, there is a possible way to start a foreground activity from background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

An android kernel bug that allows to bypass all protection bypass and achieve privilege escalation

In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

Launcher puts IApplicationThread inside ActivityOptions and it may be sent to launched app

In setOptions of ActivityRecord.java, there is a possible load any arbitrary Java code into launcher process due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[KASAN: slab-out-of-bounds in emulation_proc_handler+0x17c/0x1c8]

In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Kernel integer overflow

In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for...

InputMethodManagerService provides an implicit mutable PendingIntent to 3Ps

In startInputUncheckedLocked of InputMethodManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

Obtaining dangerous platform permission with app update

In PermissionController, there is a possible way to get and retain permissions without user's consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Sync adapters can be called directly by other apps

In startSync of AbstractThreadedSyncAdapter.java, there is a possible way to access protected content of content providers due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

[Bug#2 - ActivityManager.bindService] Calling Package can be spoofed to ActivityManager.bindService

In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, there is a possible way to start foreground service from background due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed.....

Bluetooth scanning can be modified even restricted by UserManager.DISALLOW_BLUETOOTH/DISALLOW_CONFIG_BLUETOOTH

In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android Security - [EMBARGO 5/24] invalid-free in io_uring that can lead to LPE

In io_req_init_async there is a potential use after free due to a race condition. This could lead to local escalation of privileges with User execution privileges needed. User interaction is not needed for...

Malicious code in a-special_day (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in a-stupid_test_gem (RubyGems)

-= Per source details. Do not edit below this...

[Mainline Fix] AttributionSource may incorrectly validate the calling uid and pid depending on usage

In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Bypass of overlay protection in landscape mode

In hide of WindowState.java, there is a possible way to bypass tapjacking/overlay protection by launching the activity in portrait mode first and then rotating it to landscape mode. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed...

[Platform Fix] AttributionSource may incorrectly validate the calling uid and pid depending on usage

In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Potential DoS attack through shortcut reporting.

In multiple functions of ShortcutService.java, there is a possible persistent DOS due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[U] [Coexistence] [Regression] Fix certain policies not being migrated properly on policy engine migration

In multiple locations, there is a possible way in which policy migration code will never be executed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux Kernel Race Condition leads to UAF in Unix Domain Socket and causes LPE in Android

In unix_stream_sendpage of af_unix.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

Task Hijacking Using startActivityForResults - Phone by Google Example

In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Requesting and setting notfication access on behalf of another user profile by CompanionDeviceManagerService#requestNotificationAccess

In multiple functions of CompanionDeviceManagerService.java, there is a possible launch NotificationAccessConfirmationActivity of another user profile due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction.....

Lockdown vs. Screen pinning mode

In multiple functions of KeyguardViewMediator.java, there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to a huge amount of scheduled alarms

In multiple functions of SnoozeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

Permanent device denial of service due to improper input validation in AppOpsService

In multiple functions of AppOpsService.java, there is a possible way to saturate the content of /data/system/appops_accesses.xml due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in internalGetVp8Params in SoftVP8Encoder.cpp in libstagefright_soft_vpxenc]

In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in attp_build_value_cmd in libbt-stack]

In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

DPC global restriction are lost after reboot on Android 14

In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. This could lead to local denial of service when policies are deserialized on reboot with no additional execution privileges needed. User interaction is not needed for...

Start foreground activity from background in ActivityTaskManagerService#startNextMatchingActivity

In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User...

Wallpaper Service BAL Abuse

In BackgroundLaunchProcessController, there is a possible way to launch arbitrary activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Binder MemoryHeapBase] - Need to SEAL file size on memfd mapped region

In multiple functions of ashmem-dev.cpp, there is a possible missing seal due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Enable notification listener services in the work profile via CompanionDeviceManager#requestNotificationAccess

In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User...

[Bug 1/2] Potential oob read due to missing bounds check in LeAudioBroadcasterImpl::CreateAudioBroadcast() of bluetooth stack

In CreateAudioBroadcast of broadcaster.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Write in BTM_BlePeriodicSyncTransfer in btm_ble_gap.cc in libbt-stack]

In multiple functions of btm_ble_gap.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

App can start the activity from background without requiring any permission.

In injectSendIntentSender of ShortcutService.java, there is a possible background activity launch due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Crash in com.google.android.bluetooth - HWAddressSanitizer: tag-mismatch on address 0x004a0315be00 at pc 0x007319f2eda8

In callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for...