In multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1656.0, "function_hash": "254202837061846832544589291245355270633" }, "id": "ASB-A-290086710-51dbb89d", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp", "function": "CameraService::BasicClient::opChanged" }, "signature_type": "Function" }, { "digest": { "length": 866.0, "function_hash": "302322008522747557019494382704664026732" }, "id": "ASB-A-290086710-b21498a0", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp", "function": "CameraService::BasicClient::startCameraOps" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "287023254196078774974346117208349949074", "71649452220605875848730161465198933078", "257068969661533249716246651634082780533", "32410912919073141206202916228112545218", "425831353257704999743813501053022473", "30648849819907695628208091309181388627", "214176240908218353227764329756796466877", "82556939667956581029247832626831654630", "245052272985031328425942731442219873781", "330931687319613007159986692846726124149", "235720143994668494477436673907911073678", "297963264748252115347413654939754396413", "76761991812040438069226239587023531933", "305271750055051743938661016042039615261", "48056098082814772610986852440205103977", "278703809251719793956423613461046183192", "241247860131011694514509276441160619821", "321167379323989853905497695244594083097", "74781804252044493077812330606545515838" ] }, "id": "ASB-A-290086710-f55f1c71", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "15-next" ], "digest": { "length": 1621.0, "function_hash": "180314858765852087668419592107383397938" }, "id": "ASB-A-290086710-640d978f", "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java", "function": "updateUidProcState" }, "signature_type": "Function" }, { "match_only_versions": [ "15-next" ], "digest": { "threshold": 0.9, "line_hashes": [ "149275339821518598722917024527968348981", "234965234939914373346267562292934616488", "313493199152730291669304169174276896435", "210970471893246925949384473374949373825", "218784459897775903464938288029826676044", "96512608004077765210881459935368665346", "323704604777256755927340224071007709092", "249754007199575814856423182932898070124", "9592093337908522306658155576396560329", "126458199822259320344833441168839530670", "98528291272017821678960970957259623871", "249295992371111805370626937390377070599", "199724485029716651248730890593484317687", "15587083337449792691704181613098374200", "131082735494167469451184927534036110516", "236296243286739477343310733193468000050", "121319889550130331067722205974429723008" ] }, "id": "ASB-A-290086710-b91fe771", "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 854.0, "function_hash": "97766512600221642319392882677523302637" }, "id": "ASB-A-290086710-30739c9a", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp", "function": "CameraService::BasicClient::startCameraOps" }, "signature_type": "Function" }, { "match_only_versions": [ "14" ], "digest": { "length": 1446.0, "function_hash": "167571658472021730968142249955636370346" }, "id": "ASB-A-290086710-3a0191e3", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp", "function": "CameraService::BasicClient::opChanged" }, "signature_type": "Function" }, { "match_only_versions": [ "14" ], "digest": { "threshold": 0.9, "line_hashes": [ "292675834663999425249988058118957286606", "202921329713952831544222533617666843101", "47363457268071049243787657159189036621", "3797777419502649469374211243829159482", "281014525697257549259804357936795495438", "13475576899591971877570731765924552749", "25044822316811889082213305146526822238", "306435878378023010484809286992192104310", "46751999356910679851987948580352956538", "186891956017417490939703876673516835047", "305271750055051743938661016042039615261", "48056098082814772610986852440205103977", "278703809251719793956423613461046183192", "241247860131011694514509276441160619821", "321167379323989853905497695244594083097" ] }, "id": "ASB-A-290086710-7792771f", "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266", "deprecated": false, "signature_version": "v1", "target": { "file": "services/camera/libcameraservice/CameraService.cpp" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "match_only_versions": [ "14" ], "digest": { "threshold": 0.9, "line_hashes": [ "218784459897775903464938288029826676044", "96512608004077765210881459935368665346", "323704604777256755927340224071007709092", "249754007199575814856423182932898070124", "9592093337908522306658155576396560329", "126458199822259320344833441168839530670", "98528291272017821678960970957259623871", "249295992371111805370626937390377070599", "199724485029716651248730890593484317687", "15587083337449792691704181613098374200", "131082735494167469451184927534036110516", "236296243286739477343310733193468000050", "121319889550130331067722205974429723008" ] }, "id": "ASB-A-290086710-23dd136f", "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java" }, "signature_type": "Line" }, { "match_only_versions": [ "14" ], "digest": { "length": 1621.0, "function_hash": "180314858765852087668419592107383397938" }, "id": "ASB-A-290086710-3a162573", "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java", "function": "updateUidProcState" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }