CA Technologies, A Broadcom Company Security Vulnerabilities

WhatsApp able to use microphone even after permissions revoked & app force stop in Android 13 Pixel 6

In startInput of AudioPolicyInterfaceImpl.cpp, there is a possible way of erroneously displaying the microphone privacy indicator due to a race condition. This could lead to false user expectations. User interaction is needed for...

[ADP Grant] System Tracing can be used even if DISALLOW_DEBUGGING_FEATURES has been applied (MainActivity)

In multiple functions of multiple files, there is a possible way to bypass the DISALLOW_DEBUGGING_FEATURES restriction for tracing due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for.....

Permanent denial of service via JobScheduler#schedule with invalid NetworkCapabilities.mTransportTypes

In several methods of JobStore.java, uncaught exceptions in job map parsing could lead to local persistent denial of service with no additional execution privileges needed. User interaction is not needed for...

ADP Grant - Persisting existing notification access after reboot via a malformed notification listener with super large component name enabled

In onCreate of NotificationAccessSettings.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

BR/EDR link key downgrades

In btm_sec_encrypt_change of btm_sec.cc, there is a possible way to downgrade the link key type due to improperly used crypto. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Reading other users' image files using ChooserActivity image preview

In multiple functions of ChooserActivity.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[AOSP Bluetooth Use after free-bta_hf_client_sdp.cc-bta_hf_client_do_disc]

In sdpu_build_uuid_seq of sdp_discovery.cc, there is a possible out of bounds write due to a use after free. This could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for...

EFI Linux/arm64 code can be subverted to overwrite the shadow call stack pointer

In __efi_rt_asm_wrapper of efi-rt-wrapper.S, there is a possible bypass of shadow stack protection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Cross-user notification access type control using undocumented intent extras

In retrieveAppEntry of NotificationAccessDetails.java, there is a missing permission check. This could lead to local escalation of privilege across user boundaries with no additional execution privileges needed. User interaction is not needed for...

Persisting notification access after reboot by notifying and snoozing notifications with super large tag

In several functions of SnoozeHelper.java, there is a possible way to grant notifications access due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

libsensorserviceaidl_fuzzer: Heap-buffer-overflow in android::String8::setTo

In unflattenString8 of Sensor.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[2 of 2] App can access microphone in a foreground service without declaring microphone foreground service type as an attribute of <service> component. [ 2. android.telecom.CallScreeningService service continuously recording]

In onNullBinding of CallScreeningServiceHelper.java, there is a possible way to record audio without showing a privacy indicator due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

Native crash - AID_BLUETOOTH - signal 11 (SIGSEGV)../libbluetooth_jni.so (bluetooth::activity_attribution::AttributionProcessor::OnWakelockReleased)../libbluetooth_jni.so (bluetoo...

In OnWakelockReleased of attribution_processor.cc, there is a use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Investigate Security Vulnerability of getPhysicalDisplayToken

In sanitize of LayerState.cpp, there is a possible way to take over the screen display and swap the display content due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Modifying other users' app locales using AppLocalePickerActivity in Settings

In canDisplayLocalUi of AppLocalePickerActivity.java, there is a possible way to change system app locales due to a missing permission check. This could lead to local denial of service across user boundaries with no additional execution privileges needed. User interaction is not needed for...

Triage/rating request for io_uring upstream patch

In static initializers of io_uring.c, there is an insecure default value. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for...

Applications maintain their permission across different targeted sdks

In onPackageAddedInternal of PermissionManagerService.java, there is a possible way to silently grant a permission after a Target SDK update due to a permissions bypass. This could lead to local escalation of privilege after updating an app to a higher Target SDK with no additional execution...

[Out of Bounds Write in avdt_scb_hdl_write_req in avdt_scb_act.c in libbt-stack]

In avdt_scb_hdl_write_req of avdt_scb_act.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Unable to share/attach screenshot to Gmail in work profile

In onTargetSelected of ResolverActivity.java, there is a possible way to share a wrong file due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

[Bug 2 of 7] Google Pixel Smartphone [FRP]Factory Reset Protection bypass (OS Version = android 13) - 2. Enabling voice setup adds the green audio-recording privacy indicator

In onParentVisible of HeaderPrivacyIconsController.kt, there is a possible way to bypass factory reset protections due to a missing permission check. This could lead to local escalation of privilege with physical access to a device that's been factory reset with no additional execution privileges.....

Backport: FreeType Heap buffer overflow read

In read_paint of ttcolr.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

[Out of Bounds Read in dropFramesUntilIframe Function in AAVCAssembler.cpp in libstagefright_rtsp]

In dropFramesUntilIframe of AAVCAssembler.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for...

Delete SoftAp configuration on network reset

In multiple files, there is a possible way to preserve WiFi settings due to residual data after a reset. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for...

Crash in/system/bin/wificond, HWAddressSanitizer: tag-mismatch on address 0x003856ed0b24 at pc 0x0077686e55a0 WRITE of size 4 at 0x003856ed0b24 tags: 21/4c (ptr/mem) in thread T0

In multiple functions of looper_backed_event_loop.cpp, there is a possible way to corrupt memory due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Linux kernel vulnerability advisory

In multiple functions of extents.c, there is a possible out of bounds read due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

GKI kernels contain broken non-upstream Speculative Page Faults MM code

In several functions of the Android Linux kernel, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Vulnerability: Package libexpat affected by CVE-2022-43680 affecting GitOnBorg::android::platform::external::expat

In parserCreate of xmlparse.c, there is a possible use after free that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Starting Activity from background via LauncherAppsService#getActivityLaunchIntent

In getMainActivityLaunchIntent of LauncherAppsService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

Automatically turn on notification access after the user has turns off without the user's awareness via ZenRule#condition

In Condition of Condition.java, there is a possible way to grant notification access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via AutomaticZenRule#owner

In multiple functions of AutomaticZenRule.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

: wifi: mac80211: fix MBSSID parsing use-after-free

In ieee802_11_parse_elems_crc of util.c, there is a possible use after free due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

: wifi: cfg80211: fix BSS refcounting bugs

In multiple functions of scan.c, there is a possible way to inject WLAN frames due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for...

Automatically turn on notification access after the user has turns off without the user's awareness via NotificationChannelGroup#mName

In NotificationChannel of NotificationChannel.java, there is a possible failure to persist permissions settings due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Accessibility Service does not list/report all enabled 3rd party a11y services on the device

In getEnabledAccessibilityServiceList of AccessibilityManager.java, there is a possible way to hide an accessibility service due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

libfdt_fuzzer: Stack-overflow in fdt_path_offset_namelen

In fdt_path_offset_namelen of fdt_ro.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for...

[Continual Calling to addAccountExplicitly Causes Permanent DoS to Android System]

In findAllDeAccounts of AccountsDb.java, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

[Bluetooth avrcp/avdtp heap overflow] part 2: avdt_msg_asmbl

In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for...

Task hijacking of apps that set allowTaskReparenting="true"

In test of ResetTargetTaskHelper.java, there is a possible hijacking of any app which sets allowTaskReparenting="true" due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Permanent denial of service via PackageManager#setComponentEnabledSetting

In setEnabledSetting of PackageManager.java, there is a possible way to get the device into an infinite reboot loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for...

AlwaysOnHotwordDetector allows hotword detection without CAPTURE_AUDIO_HOTWORD permission

In AlwaysOnHotwordDetector of AlwaysOnHotwordDetector.java, there is a possible way to access the microphone from the background due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

InputMethodManager#getInputMethodWindowVisibleHeight() leaks user activity to any app

In getInputMethodWindowVisibleHeight of InputMethodManagerService.java, there is a possible way to determine when another app is showing an IME due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is...

SQL Injection in CallLogProvider#query via URI PathSegments

In queryInternal of CallLogProvider.java, there is a possible access to voicemail information due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Foreground Activity Started via FullScreenIntent

In handleFullScreenIntent of StatusBarNotificationActivityStarter.java, there is a possible bypass of the restriction of starting activity from background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User...

[OPTiM] FGS Task Manager displays a Stop button for apps that have been whitelisted to be exempt from battery optimization.

In getBackgroundRestrictionExemptionReason of AppRestrictionController.java, there is a possible way to bypass device policy restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not...

Malicious APP Causes Device DoS - test

In freeStageDirs PackageInstallerService.java, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for...

Vulnerability: external/expat (size_t)

(from https://nvd.nist.gov/vuln/detail/CVE-2022-25314) In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString. In copyString of xmlparse.c, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with no...

Linux kernel vulnerability advisory

In fget() of file.c, there is a possible read after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

4 bytes uninitialized heap memory leak from system_server process to untrusted app

In writeToParcel of SurfaceControl.cpp, there is a possible information disclosure due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

Make bluetooth discoverable via SettingsIntelligence#SliceDeepLinkTrampoline

In onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for...

WIFI scanning can be modified even restricted by UserManager.DISALLOW_CONFIG_WIFI

In updateState of LocationServicesWifiScanningPreferenceController.java, there is a possible admin restriction bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...