In updateState of ContentProtectionTogglePreferenceController.java, there is a possible way for a secondary user to disable the primary user's deceptive app scanning setting due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 396.0, "function_hash": "178772821437044671368461220834367232970" }, "id": "ASB-A-337774836-0869afde", "source": "https://googleplex-android.googlesource.com/platform/packages/apps/Settings/+/baf503050fc615c7f663ad09e5adb5ab7e7d99dc", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/security/ContentProtectionTogglePreferenceController.java", "function": "updateState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "23711293699501863784118794929569413548", "25438287924212247658772188015551403265", "272335625482017964206227763798719803994", "268766867470797680073392046456207230271", "101177561941442979732000305087204357315", "299893934923863190506642489540768999050", "51896521754327684075884495202685058216", "219286521362033844097925689090791309388" ] }, "id": "ASB-A-337774836-9c07e091", "source": "https://googleplex-android.googlesource.com/platform/packages/apps/Settings/+/baf503050fc615c7f663ad09e5adb5ab7e7d99dc", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/security/ContentProtectionTogglePreferenceController.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/baf503050fc615c7f663ad09e5adb5ab7e7d99dc" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 396.0, "function_hash": "178772821437044671368461220834367232970" }, "id": "ASB-A-337774836-4cddfe70", "source": "https://googleplex-android.googlesource.com/platform/packages/apps/Settings/+/ef16a8cbef5e0987a37c2fa9e5091672a3c8e4ab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/security/ContentProtectionTogglePreferenceController.java", "function": "updateState" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "23711293699501863784118794929569413548", "25438287924212247658772188015551403265", "272335625482017964206227763798719803994", "268766867470797680073392046456207230271", "101177561941442979732000305087204357315", "299893934923863190506642489540768999050", "51896521754327684075884495202685058216", "219286521362033844097925689090791309388" ] }, "id": "ASB-A-337774836-50c54e1f", "source": "https://googleplex-android.googlesource.com/platform/packages/apps/Settings/+/ef16a8cbef5e0987a37c2fa9e5091672a3c8e4ab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/settings/security/ContentProtectionTogglePreferenceController.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Settings/+/ef16a8cbef5e0987a37c2fa9e5091672a3c8e4ab" ], "spl": "2025-05-01", "severity": "High", "types": [ "EoP" ] }