In bindRemoteViewsService of AppWidgetServiceImpl.java, there is a possible way to bypass background activity launch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "301939499715474086686814466129782162595", "338666126514144047379684270714637681856", "237068998572706870373509846032853599867", "253068636425074951647775241125817726292", "81309442384179410729868758149480836056", "149351765488031146942561662630386098070", "258822827992832751568478612410852030246", "1472386385560218029928473278780656262" ] }, "id": "ASB-A-234013191-60122e66", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java" }, "signature_type": "Line" }, { "digest": { "length": 1287.0, "function_hash": "208609670895234307832493313701423419039" }, "id": "ASB-A-234013191-eb2953dc", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java", "function": "bindRemoteViewsService" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "301939499715474086686814466129782162595", "338666126514144047379684270714637681856", "237068998572706870373509846032853599867", "253068636425074951647775241125817726292", "81309442384179410729868758149480836056", "149351765488031146942561662630386098070", "258822827992832751568478612410852030246", "1472386385560218029928473278780656262" ] }, "id": "ASB-A-234013191-8788b533", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java" }, "signature_type": "Line" }, { "digest": { "length": 1287.0, "function_hash": "208609670895234307832493313701423419039" }, "id": "ASB-A-234013191-efe3eff5", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java", "function": "bindRemoteViewsService" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1287.0, "function_hash": "208609670895234307832493313701423419039" }, "id": "ASB-A-234013191-165e71a1", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java", "function": "bindRemoteViewsService" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "301939499715474086686814466129782162595", "338666126514144047379684270714637681856", "237068998572706870373509846032853599867", "253068636425074951647775241125817726292", "81309442384179410729868758149480836056", "149351765488031146942561662630386098070", "258822827992832751568478612410852030246", "1472386385560218029928473278780656262" ] }, "id": "ASB-A-234013191-a619de18", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 1287.0, "function_hash": "208609670895234307832493313701423419039" }, "id": "ASB-A-234013191-ad3fa7e5", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java", "function": "bindRemoteViewsService" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "301939499715474086686814466129782162595", "338666126514144047379684270714637681856", "237068998572706870373509846032853599867", "253068636425074951647775241125817726292", "81309442384179410729868758149480836056", "149351765488031146942561662630386098070", "258822827992832751568478612410852030246", "1472386385560218029928473278780656262" ] }, "id": "ASB-A-234013191-bbad910f", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "301939499715474086686814466129782162595", "338666126514144047379684270714637681856", "237068998572706870373509846032853599867", "253068636425074951647775241125817726292", "81309442384179410729868758149480836056", "149351765488031146942561662630386098070", "258822827992832751568478612410852030246", "1472386385560218029928473278780656262" ] }, "id": "ASB-A-234013191-a214aa4c", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java" }, "signature_type": "Line" }, { "digest": { "length": 1287.0, "function_hash": "208609670895234307832493313701423419039" }, "id": "ASB-A-234013191-c0a2b185", "source": "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011", "deprecated": false, "signature_version": "v1", "target": { "file": "services/appwidget/java/com/android/server/appwidget/AppWidgetServiceImpl.java", "function": "bindRemoteViewsService" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/0ee21ef3e652c78c934d257632a4951bd6d38011" ], "spl": "2022-12-01", "severity": "High", "types": [ "EoP" ] }