CA Technologies, A Broadcom Company Security Vulnerabilities

Guest user can add a new user via Settings#AddSupervisedUserActivity

In AddSupervisedUserActivity, guest users are not prevented from starting the activity due to missing permissions checks. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

PendingIntent in Settings#MediaVolumePreferenceController can be hijacked

In getSliceEndItem of MediaVolumePreferenceController.java, there is a possible way to start foreground activity from the background due to an unsafe PendingIntent. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Bypassing check of isBluetoothShareUri to force Bluetooth app to grant its accessible ContentProviders' access

In isBluetoothShareUri of BluetoothOppUtility.java, there is a possible incorrect file read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Possible EvilParcel bug in WorkSource class

In WorkSource, there is a possible parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ndk_sync_codec_fuzzer: Tag-mismatch in std::__1::__tree_iterator<std::__1::__value_type<std::__1::basic_string<char, st

In several functions of MediaCodec.cpp, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In pxa3xx_gcu_write of pxa3xx-gcu.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Reading contacts of other users using emergency contact settings

In onCreatePreferences of EditInfoFragment.java, there is a possible way to read contacts belonging to other users due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In move_page_tables of mremap.c, there is a possible memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

[Binder][bug] Incorrect bound check in `binder_transaction_buffer_release` in binder.c

In binder_transaction_buffer_release of binder.c, there is a possible use after free due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Intent injection through Intent.toUri/Intent.parseUri mismatch

In getTrampolineIntent of SettingsActivity.java, there is a possible launch of arbitrary activity due to an Intent mismatch in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Regression] Uninstalling of packages by DPC does not work in T

In getStringsForPrefix of Settings.java, there is a possible prevention of package uninstallation due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android lock screen sensitive notification bypass

In updatePublicMode of NotificationLockscreenUserManagerImpl.java, there is a possible way to reveal sensitive notifications on the lockscreen due to an incorrect state transition. This could lead to local information disclosure with physical access required and an app that runs above the...

Enabling managed connection service without user interaction using tapjacking in Telecomm

In onCreate of EnableAccountPreferenceActivity.java, there is a possible way to mislead the user into enabling a malicious phone account due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for...

[Out of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in BluetoothOut of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in BluetoothOut of Bounds Read in BNEP_ConnectResp Function in bnep_api.cc in Bluetooth]

In BNEP_ConnectResp of bnep_api.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

Investigate how Phone Services is breaking through AppOps restrictions

In sOpAllowSystemRestrictionBypass of AppOpsManager.java, there is a possible leak of location information due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

locale_fuzzer: Tag-mismatch in _getVariant

In toLanguageTag of LocaleListCache.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via NotificationManager#createNotificationChannel

In createNotificationChannel of NotificationManager.java, there is a possible way to make the device unusable and require factory reset due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth avrcp/avdtp heap overflow]

In avct_lcb_msg_asmbl of avct_lcb_act.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

OOB read in Bluetooth AVRC

In several functions that parse avrc response in avrc_pars_ct.cc and related files, there are possible out of bounds reads due to integer overflows. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannel#mName

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Secret notifications are not hidden on lock screen

In shouldHideNotification of KeyguardNotificationVisibilityProvider.kt, there is a possible way to show hidden notifications due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

ndk_mediamuxer_fuzzer: Heap-use-after-free in android::MediaAppender::init

In setDataSource of initMediaExtractor.cpp, there is a possibility of arbitrary code execution due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Bypass of device carrier restrictions (OS Version = android 12)

In deletePackageVersionedInternal of DeletePackageHelper.java, there is a possible way to bypass carrier restrictions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Broken Permission Check

In deletePackageX of DeletePackageHelper.java, there is a possible way for a Guest user to reset pre-loaded applications for other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for.....

Apps can get the ACTIVITY_RECOGNITION runtime permission silently via app upgrade on Q and above

In restorePermissionState of PermissionManagerServiceImpl.java, there is a possible way to bypass user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Unlocking SIM PUK result in unlocking phone directly

In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lockscreen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in process_service_search_rsp Function in sdp_discoverty.cc in Bluetooth]

In process_service_search_rsp of sdp_discovery.cc, there is a possible out of bounds read due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

LazyValue in Bundle read with ReadWriteHelper may use Parcel after Parcel.recycle()

In initializeFromParcelLocked of BaseBundle.java, there is a possible method arbitrary code execution due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

An android kernel bug that allows to bypass all protection bypass and achieve privilege escalation

In io_identity_cow of io_uring.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

Launcher puts IApplicationThread inside ActivityOptions and it may be sent to launched app

In setOptions of ActivityRecord.java, there is a possible load any arbitrary Java code into launcher process due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[KASAN: slab-out-of-bounds in emulation_proc_handler+0x17c/0x1c8]

In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[The use of BD_ADDR in BR/EDR as the identity address of BLE makes the dual-stack trackable]

In bta_dm_remove_device of bta_dm_act.cc, there is a possible way for a BT device to receive a long term trackable identifier due to a permissions bypass. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

libfdt_fuzzer: Heap-buffer-overflow in fdt_next_tag

In fdt_next_tag of fdt.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for...

Presentation can make the app start activities in the background

In createPresentationContext of Presentation.java, there is a possible way to start a foreground activity from background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Kernel integer overflow

In rndis_set_response of rndis.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious USB device is attached with no additional execution privileges needed. User interaction is not needed for...

InputMethodManagerService provides an implicit mutable PendingIntent to 3Ps

In startInputUncheckedLocked of InputMethodManagerService.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

Obtaining dangerous platform permission with app update

In PermissionController, there is a possible way to get and retain permissions without user's consent due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Sync adapters can be called directly by other apps

In startSync of AbstractThreadedSyncAdapter.java, there is a possible way to access protected content of content providers due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for...

[Bug#2 - ActivityManager.bindService] Calling Package can be spoofed to ActivityManager.bindService

In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, there is a possible way to start foreground service from background due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed.....

Bluetooth scanning can be modified even restricted by UserManager.DISALLOW_BLUETOOTH/DISALLOW_CONFIG_BLUETOOTH

In WifiScanningPreferenceController and BluetoothScanningPreferenceController, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Android Security - [EMBARGO 5/24] invalid-free in io_uring that can lead to LPE

In io_req_init_async there is a potential use after free due to a race condition. This could lead to local escalation of privileges with User execution privileges needed. User interaction is not needed for...

Malicious code in a-stupid_test_gem (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in a-special_day (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in vendored-a (npm)

-= Per source details. Do not edit below this...

[Crafted HFP Client Packet Causes Out-of-bounds Read in Bluetooth]

In AT_SKIP_REST of bta_hf_client_at.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure in the Bluetooth stack with no additional execution privileges needed. User interaction is not needed for...

Malicious code in packs-a (npm)

-= Per source details. Do not edit below this...

Malicious code in a-constructor.js (npm)

-= Per source details. Do not edit below this...

Malicious code in a-special-day (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in a-stupid-test_gem (RubyGems)

-= Per source details. Do not edit below this...

Malicious code in file-q-and-a (npm)

-= Per source details. Do not edit below this...