In static definitions of GattServiceConfig.java, there is a possible permission bypass due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "match_only_versions": [ "12L" ], "digest": { "threshold": 0.9, "line_hashes": [ "310264222601774262554073906312179050471", "233851378929737165976130497824506340663" ] }, "id": "PUB-A-185513714-75917028", "source": "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/2109e7a24a18a3d2c87b6a7bbb545a1246ea21b6", "deprecated": false, "signature_version": "v1", "target": { "file": "src/com/android/bluetooth/gatt/GattServiceConfig.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/packages/apps/Bluetooth/+/2109e7a24a18a3d2c87b6a7bbb545a1246ea21b6" ], "spl": "2022-06-01", "severity": "Moderate", "types": [ "EoP" ] }