In broadcastPortInfo of AdbService.java, there is a possible way for apps to run code as the shell user, if wireless debugging is enabled, due to…

In multiple locations of MediaProvider.java , there is a possible way to get read/write access to other app’s dedicated, app-specific directory within external storage due…

In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to…

In several functions of of LauncherApps.java, there is a possible escalation of privilege due to a logic error in the code. This could lead to…

In Bitmap_createFromParcel of Bitmap.cpp, there is a possible arbitrary code execution due to a missing bounds check. This could lead to local escalation of privilege…

In AttributionSource of AttributionSource.java, there is a possible permission bypass due to improper input validation. This could lead to local escalation of privilege with no…

In ion_ioctl of ion-ioctl.c, there is a possible way to leak kernel head data due to a use after free. This could lead to local…

In ion_ioctl of ion-ioctl.c, there is a possible use after free due to improper locking. This could lead to local escalation of privilege with no…

In change_pte_range of mprotect.c , there is a possible way to make a shared mmap writable due to a permissions bypass. This could lead to…

In ~Impl of C2AllocatorIon.cpp, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure…