In getBackgroundRestrictionExemptionReason of AppRestrictionController.java, there is a possible way to bypass device policy restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 2215.0, "function_hash": "81851832787058760284793457627546280792" }, "id": "ASB-A-238377411-00e006fe", "source": "https://android.googlesource.com/platform/frameworks/base/+/26945bf8608a8d5e38bdda4a68e3d444eed03de0", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/AppRestrictionController.java", "function": "getBackgroundRestrictionExemptionReason" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "338084814463838692865463276062272481269", "204095983282894935881441189197943072724", "111208491350462862960277179470679895697", "163064010969996349495530247851842396655", "16839510854669803563955315361634610793", "1786610215237782535962533169394715750", "334398862494929584959105449151793775680", "330533647503340784153069115043786205902", "143485974629224183528668425378540623940", "26926396955253309710027627514622503319", "273745746621807355187035804840176057909", "305889137737588596988465704815320506336", "134194250848175375095003306340074806879", "194957543535939216182745666166217578049", "26422771808357216473777961746329713413", "265669218276827631057056749515506381182", "76606515071439434307528638013225843903", "288517370563388251142327358930969033659", "130344593426080827019006436581711947077", "186682583954881249989830317938655312716", "225415400739484179376797177558147078077", "51695108914376855781955835012299425394", "150871703979736768091563171795087467328", "191061473204025477134646219421376372468", "21290638900906506377241001768891280698", "186369197693698899165612098672542311067", "574410352114663538138448114640889277", "114051027259629430124426829744691013693", "283453390914155909792195628521054937976", "243016695195401865758899327290423773863", "235135641989946274393347545803689135166", "52733613119433308264821384417685192222", "119872224072732039667693289869059257275", "95863338367342909469211096695945675284" ] }, "id": "ASB-A-238377411-9a5ec86e", "source": "https://android.googlesource.com/platform/frameworks/base/+/26945bf8608a8d5e38bdda4a68e3d444eed03de0", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/am/AppRestrictionController.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/26945bf8608a8d5e38bdda4a68e3d444eed03de0" ], "spl": "2022-10-01", "severity": "High", "types": [ "EoP" ] }