In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 1125.0, "function_hash": "26791562549518565736591114075966613619" }, "id": "ASB-A-191055353-12719f89", "source": "https://android.googlesource.com/platform/frameworks/base/+/7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "getAllIntentFilters" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "202508760551269928049748925265883837546", "288382602394991793246021359047271616882", "315568490547752979314190785874915548175", "158415110010746717477914766817457489900", "265991536892244389881449343573385780205" ] }, "id": "ASB-A-191055353-4203149a", "source": "https://android.googlesource.com/platform/frameworks/base/+/7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java" }, "signature_type": "Line" }, { "digest": { "threshold": 0.9, "line_hashes": [ "6383142627887921752049176884963281050", "338290418009196026627822591821849595762", "183713638792197465421770325659382567042", "174014216592730753590348061875738654121", "109061979751437069457706521258152489813", "222598178733217949611033563915240518466", "215718501902555768039193060090932952539", "306705427514010007601787371644725205716", "230439080901629084449912468634622205021", "190887323007752390040444032902027580230", "337630781252104154245060121950646789109", "247519087127743278762696513752738413944", "319872940432361777858647363532225970641", "70869797237057126119282022522830468623", "137315420376541200394191568973125246448", "35813260228783421431271021967438178401", "332763883529750271178452233556756301302", "173948048992640538787447581372596933973" ] }, "id": "ASB-A-191055353-512ca9e6", "source": "https://android.googlesource.com/platform/frameworks/base/+/75214cc510c62f936a713c2da3d0a54db9405957", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/content/pm/parsing/component/ParsedIntentInfo.java" }, "signature_type": "Line" }, { "digest": { "length": 66.0, "function_hash": "206484618850353406861666623578980502078" }, "id": "ASB-A-191055353-60e27fd4", "source": "https://android.googlesource.com/platform/frameworks/base/+/75214cc510c62f936a713c2da3d0a54db9405957", "deprecated": false, "signature_version": "v1", "target": { "file": "core/java/android/content/pm/parsing/component/ParsedIntentInfo.java", "function": "newArray" }, "signature_type": "Function" }, { "digest": { "length": 113.0, "function_hash": "188809707356197393437833129108699107627" }, "id": "ASB-A-191055353-b9d833df", "source": "https://android.googlesource.com/platform/frameworks/base/+/7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/pm/PackageManagerService.java", "function": "writeElement" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/75214cc510c62f936a713c2da3d0a54db9405957", "https://android.googlesource.com/platform/frameworks/base/+/7ac9b1da731bdf6ed2f34e22d5da7030bc0f7d21" ], "spl": "2021-09-01", "severity": "High", "types": [ "EoP" ] }