App can read all notifications of the device without requiring any permission.

2024-06-0100:00:00

Google

osv.dev

notification access

improper validation

privilege escalation

user interaction

7 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

In multiple functions of ManagedServices.java, there is a possible way to hide an app with notification access in the Device & app notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CPENameOperatorVersion
platform/frameworks/baseeq12
platform/frameworks/baseeq13
platform/frameworks/baseeq12L
platform/frameworks/baseeq14

Name	Operator	Version
platform/frameworks/base	eq	12
platform/frameworks/base	eq	13
platform/frameworks/base	eq	12L
platform/frameworks/base	eq	14

References

android.googlesource.com/platform/frameworks/base/+/a9ee2793068235ff423d08cc0964870c054d1983

source.android.com/security/bulletin/2024-06-01