In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. This could lead to local escalation of privilege CONTROLALWAYSON_VPN with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "249075278512829168754042795387518813750", "159388925239194086110019053960304969612", "104848444477519217474237556570055385811", "97590697546115221432188778181145799833", "95975522758785182856088401938732163268", "38729615384395579501124902717966760349", "40135872218419544498134803688603443737", "178413717962493023367993335606776715959", "246714061973602262374419698083005330097", "70189935037104495525897089633168244123", "306576123403228771282968129054536480080", "226714567186253957383971980360413508704", "187989992647598380755570461639950930741", "147354967674750052531737893602276117569" ] }, "id": "ASB-A-191382886-23870e76", "source": "https://android.googlesource.com/platform/frameworks/base/+/f3072fcd46112bad7c5f6ddd4cc35d2c67f00d11", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/ConnectivityService.java" }, "signature_type": "Line" }, { "digest": { "length": 187.0, "function_hash": "218177222831341778865879455474855236138" }, "id": "ASB-A-191382886-97b9e92f", "source": "https://android.googlesource.com/platform/frameworks/base/+/f3072fcd46112bad7c5f6ddd4cc35d2c67f00d11", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/ConnectivityService.java", "function": "stopVpnProfile" }, "signature_type": "Function" }, { "digest": { "length": 214.0, "function_hash": "340082255310276846879016599533391396102" }, "id": "ASB-A-191382886-ac7e74b8", "source": "https://android.googlesource.com/platform/frameworks/base/+/f3072fcd46112bad7c5f6ddd4cc35d2c67f00d11", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/ConnectivityService.java", "function": "startVpnProfile" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/f3072fcd46112bad7c5f6ddd4cc35d2c67f00d11" ], "spl": "2021-11-01", "severity": "High", "types": [ "EoP" ] }