CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 19/76 • 9114 CVEs.

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-12-15
High

CVE-2021-0984

In onNullBinding of ManagedServices.java, there is a possible permission bypass due to an incorrectly unbound service. This could lead to local escalation of privilege with no additional execution pr…

CVSS: 7.8 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Low

CVE-2021-0983

In createAdminSupportIntent of DevicePolicyManagerService.java, there is a possible disclosure of information about installed device/profile owner package name due to side channel information disclos…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2021-0982

In getOrganizationNameForUser of DevicePolicyManagerService.java, there is a possible organization name disclosure due to a missing permission check. This could lead to local information disclosure w…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0981

In enqueueNotificationInternal of NotificationManagerService.java, there is a possible way to run a foreground service without showing a notification due to improper input validation. This could lead…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0979

In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions b…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2021-0978

In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0977

In phNxpNHal_DtaUpdate of phNxpNciHal_dta.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileg…

CVSS: 6.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-0976

In toBARK of floor0.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User inte…

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2021-0973

In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. This could lead to local information disclosure with no ad…

CVSS: 5.0 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD
Medium

CVE-2021-0971

In MPEG4Source::read of MPEG4Extractor.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote information disclosure with no additional execution privil…

CVSS: 6.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0970

In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. This could lead to local escalation of privilege with no additional execution priv…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2021-0969

In getTitle of AccessPoint.java, there is a possible unhandled exception due to a missing null check. This could lead to remote denial of service if a proximal Wi-Fi AP provides invalid information w…

CVSS: 6.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2021-0968

In osi_malloc and osi_calloc of allocator.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges need…

CVSS: 8.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2021-0967

In vorbis_book_decodev_set of codebook.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileg…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-0966

In code generated by BuildParcelFields of generate_cpp.cpp, there is a possible way for a crafted parcelable to reveal uninitialized memory of a target process due to uninitialized data. This could l…

CVSS: 5.5 CWE: CWE-909 - Missing Initialization of Resource View on NVD
High

CVE-2021-0965

In AndroidManifest.xml of Settings, there is a possible pairing of a Bluetooth device without user's consent due to a missing permission check. This could lead to local escalation of privilege with n…

CVSS: 8.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0964

In C2SoftMP3::process() of C2SoftMp3Dec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privi…

CVSS: 6.5 CWE: CWE-681 - Incorrect Conversion between Numeric Types View on NVD
High

CVE-2021-0963

In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no…

CVSS: 7.1 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Medium

CVE-2021-0961

In quota_proc_write of xt_quota2.c, there is a possible way to read kernel memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. U…

CVSS: 4.4 CWE: CWE-909 - Missing Initialization of Resource View on NVD
Medium

CVE-2021-0958

In update of km_compat.cpp, there is a possible loss of potentially sensitive data due to a logic error in the code. This could lead to local denial of service with User execution privileges needed.…

CVSS: 4.4 CWE: N/A View on NVD
Critical

CVE-2021-0956

In NfcTag::discoverTechnologies (activation) of NfcTag.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote escalation of privilege with no additio…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0955

In pf_write_buf of FuseDaemon.cpp, there is possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User i…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0954

In ResolverActivity, there is a possible user interaction bypass due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User inter…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0953

In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local…

CVSS: 7.8 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2021-0952

In doCropPhoto of PhotoSelectionHandler.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure of user's contacts with no additional exe…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2021-0933

In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. This could lead t…

CVSS: 8.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0932

In showNotification of NavigationModeController.java, there is a possible confused deputy due to an unsafe PendingIntent. This could lead to local escalation of privilege that allows actions performe…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0931

In getAlias of BluetoothDevice.java, there is a possible way to create misleading permission dialogs due to missing data filtering. This could lead to local information disclosure with User execution…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0930

In phNxpNciHal_process_ext_rsp of phNxpNciHal_ext.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over NFC with no additional execu…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0929

In ion_dma_buf_end_cpu_access and related functions of ion.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional ex…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0928

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege w…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0927

In requestChannelBrowsable of TvInputManagerService.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional e…

CVSS: 7.8 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
High

CVE-2021-0926

In onCreate of NfcImportVCardActivity.java, there is a possible way to add a contact without user's consent due to a missing permission check. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0925

In rw_t4t_sm_detect_ndef of rw_t4t.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure due to a limited change in behavior ba…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0924

In xhci_vendor_get_ops of xhci.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed…

CVSS: 7.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0923

In createOrUpdate of Permission.java, there is a possible way to gain internal permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execu…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0922

In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACT_ACROSS_PROFILES permission due to a missing permission check. This could lead to local esc…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0921

In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-0920

In unix_scm_to_skb of af_unix.c, there is a possible use after free bug due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interac…

CVSS: 6.4 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-0919

In getService of IServiceManager.cpp, there is a possible unhandled exception due to an integer overflow. This could lead to local denial of service making the lockscreen unusable with no additional…

CVSS: 5.0 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2021-0918

In gatt_process_notification of gatt_cl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2021-0889

In Android TV , there is a possible silent pairing due to lack of rate limiting in the pairing flow. This could lead to remote code execution with no additional execution privileges needed. User inte…

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2021-0799

In ActivityThread.java, there is a possible way to collide the content provider's authorities. This could lead to local escalation of privilege with no additional execution privileges needed. User in…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0769

In onCreate of AllowBindAppWidgetActivity.java, there is a possible bypass of user interaction requirements due to unclear UI. This could lead to local escalation of privilege with no additional exec…

CVSS: 7.3 CWE: N/A View on NVD
Medium

CVE-2021-0704

In createNoCredentialsPermissionNotification and related functions of AccountManagerService.java, there is a possible way to retrieve accounts from the device without permissions due to a permissions…

CVSS: 5.5 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2021-0653

In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosu…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0650

In WT_InterpolateNoLoop of eas_wtengine.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privi…

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0649

In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. This could lead to local escalation of privilege CONTROL_ALWAYS_ON_VPN with no additional execution p…

CVSS: 7.8 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-0434

In onReceive of BluetoothPermissionRequest.java, there is a possible phishing attack allowing a malicious Bluetooth device to acquire permissions based on insufficient information presented to the us…

CVSS: 7.3 CWE: N/A View on NVD
2021-12-14
Medium

CVE-2021-34425

The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In ver…

CVSS: 4.7 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2021-12-10
Medium

CVE-2021-40834

A user interface overlay vulnerability was discovered in F-secure SAFE Browser for Android. When user click on a specially crafted seemingly legitimate URL SAFE browser goes into full screen and hide…

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2021-12-08
Medium

CVE-2021-43544

When receiving a URL through a SEND intent, Firefox would have searched for the text, but subsequent usages of the address bar might have caused the URL to load unintentionally, which could lead to X…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-43530

A Universal XSS vulnerability was present in Firefox for Android resulting from improper sanitization when processing a URL scanned from a QR code. *This bug only affects Firefox for Android. Other o…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2020-27416

Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.

CVSS: 9.8 CWE: CWE-613 - Insufficient Session Expiration View on NVD
Low

CVE-2021-25527

Improper export of Android application components vulnerability in Samsung Pay (India only) prior to version 4.1.77 allows attacker to access Bill Pay and Recharge menu without authentication.

CVSS: 3.8 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2021-12-07
Critical

CVE-2021-41716

Maharashtra State Electricity Board Mahavitara Android Application 8.20 and prior is vulnerable to remote account takeover due to OTP fixation vulnerability in password rest function

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
Critical

CVE-2021-24041

A missing bounds check in image blurring code prior to WhatsApp for Android v2.21.22.7 and WhatsApp Business for Android v2.21.22.7 could have allowed an out-of-bounds write if a user sent a maliciou…

CVSS: 9.8 CWE: CWE-122 - Heap-based Buffer Overflow View on NVD
Medium

CVE-2020-27413

An issue was discovered in Mahavitaran android application 7.50 and below, allows local attackers to read cleartext username and password while the user is logged into the application.

CVSS: 4.2 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-12-02
Medium

CVE-2021-44518

An issue was discovered in the eGeeTouch 3rd Generation Travel Padlock application for Android. The lock sends a pairing code before each operation (lock or unlock) activated via the companion app. T…

CVSS: 6.8 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2020-27414

Mahavitaran android application 7.50 and prior transmit sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server log…

CVSS: 5.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-11-30
Medium

CVE-2021-41256

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application insta…

CVSS: 5.8 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
2021-11-24
High

CVE-2021-34424

A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Critical

CVE-2021-34423

A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and…

CVSS: 9.8 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2021-20835

Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-11-23
Medium

CVE-2021-38000

Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page.

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2021-11-18
High

CVE-2021-23162

Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre…

CVSS: 7.7 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
Critical

CVE-2021-23155

Improper validation of the cloud certificate chain in Mobile Client allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre M…

CVSS: 9.0 CWE: CWE-296 - Improper Following of a Certificate's Chain of Trust View on NVD
Medium

CVE-2021-0672

In Browser app, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User inte…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-11-11
Low

CVE-2021-34421

The Keybase Client for Android before version 5.8.0 and the Keybase Client for iOS before version 5.8.0 fails to properly remove exploded messages initiated by a user if the receiving user places the…

CVSS: 3.7 CWE: CWE-459 - Incomplete Cleanup View on NVD
2021-11-09
Medium

CVE-2021-43191

JetBrains YouTrack Mobile before 2021.2, is missing the security screen on Android and iOS.

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-43190

In JetBrains YouTrack Mobile before 2021.2, task hijacking on Android is possible.

CVSS: 5.3 CWE: N/A View on NVD
High

CVE-2021-43189

In JetBrains YouTrack Mobile before 2021.2, access token protection on Android is incomplete.

CVSS: 7.3 CWE: N/A View on NVD
2021-11-03
High

CVE-2021-29993

Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are u…

CVSS: 8.1 CWE: N/A View on NVD
2021-11-02
Medium

CVE-2021-37990

Inappropriate implementation in WebView in Google Chrome on Android prior to 95.0.4638.54 allowed a remote attacker to leak cross-origin data via a crafted app.

CVSS: 5.5 CWE: N/A View on NVD
2021-10-30
Medium

CVE-2021-36808

A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2021-10-25
Medium

CVE-2021-0941

In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User inte…

CVSS: 6.7 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2021-0940

In TBD of TBD, there is a possible out of bounds write due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interactio…

CVSS: 6.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-0939

In set_default_passthru_cfg of passthru.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges neede…

CVSS: 4.4 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2021-0938

In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privile…

CVSS: 5.5 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-0936

In acc_read of f_accessory.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User inte…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2021-0935

In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interactio…

CVSS: 6.7 CWE: CWE-416 - Use After Free View on NVD
2021-10-22
High

CVE-2021-0870

In RW_SetActivatedTagType of rw_main.cc, there is possible memory corruption due to a race condition. This could lead to remote code execution with no additional execution privileges needed. User int…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0708

In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional executio…

CVSS: 7.8 CWE: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere View on NVD
Medium

CVE-2021-0706

In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no addition…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0705

In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This co…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0703

In SecondStageMain of init.cpp, there is a possible use after free due to incorrect shared_ptr usage. This could lead to local escalation of privilege if the attacker has physical access to the devic…

CVSS: 6.8 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2021-0702

In RevertActiveSessions of apexd.cpp, there is a possible way to share the wrong file due to an unintentional MediaStore downgrade. This could lead to local information disclosure with no additional…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0652

In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of pr…

CVSS: 7.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-0651

In loadLabel of PackageItemInfo.java, there is a possible way to DoS a device by having a long label in an app due to incorrect input validation. This could lead to local denial of service with no ad…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-0643

In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to l…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0483

In multiple methods of AAudioService, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interact…

CVSS: 7.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2021-10-15
High

CVE-2021-40724

Acrobat Reader for Android versions 21.8.0 (and earlier) are affected by a Path traversal vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execut…

CVSS: 7.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2021-10-13
Medium

CVE-2021-20834

Improper authorization in handler for custom URL scheme vulnerability in Nike App for Android versions prior to 2.177 and Nike App for iOS versions prior to 2.177.1 allows a remote attacker to lead a…

CVSS: 6.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-20832

InBody App for iOS versions prior to 2.3.30 and InBody App for Android versions prior to 2.2.90(510) contain a vulnerability which may lead to information disclosure only when it works with the body…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-10-12
Medium

CVE-2021-40498

A vulnerability has been identified in SAP SuccessFactors Mobile Application for Android - versions older than 2108, which allows an attacker to prevent legitimate users from accessing a service, eit…

CVSS: 5.5 CWE: N/A View on NVD
2021-10-11
High

CVE-2021-0583

In onCreate of BluetoothPairingDialog, there is a possible way to enable Bluetooth without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2021-10-08
Medium

CVE-2021-37966

Inappropriate implementation in Compositing in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVSS: 4.3 CWE: CWE-346 - Origin Validation Error View on NVD
High

CVE-2021-37956

Use after free in Offline use in Google Chrome on Android prior to 94.0.4606.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
2021-10-06
Medium

CVE-2021-0695

In get_sock_stat of xt_qtaguid.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with User execution privileges needed. User interacti…

CVSS: 5.5 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2021-0693

In openFile of HeapDumpProvider.java, there is a possible way to retrieve generated heap dumps from debuggable apps due to an unprotected provider. This could lead to local information disclosure wit…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0692

In sendBroadcastToInstaller of FirstScreenBroadcast.java, there is a possible activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execu…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2021-0691

In the SELinux policy configured in system_app.te, there is a possible way for system_app to gain code execution in other processes due to an overly-permissive SELinux policy. This could lead to loca…

CVSS: 6.7 CWE: CWE-269 - Improper Privilege Management View on NVD
Medium

CVE-2021-0690

In ih264d_mark_err_slice_skip of ih264d_parse_pslice.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote information disclosure with no additional exec…

CVSS: 6.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-0689

In RGB_to_BGR1_portable of SkSwizzler_opts.h, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privil…

CVSS: 5.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0688

In lockNow of PhoneWindowManager.java, there is a possible lock screen bypass due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User int…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-0687

In ellipsize of Layout.java, there is a possible ANR due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is n…

CVSS: 5.0 CWE: CWE-834 - Excessive Iteration View on NVD
Medium

CVE-2021-0686

In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0685

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2021-0684

In TouchInputMapper::sync of TouchInputMapper.cpp, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privi…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0683

In runTraceIpcStop of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional exec…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0682

In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure wi…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0681

In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. Use…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0680

In system properties, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. Use…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0644

In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information di…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2021-0636

When extracting the incorrectly formatted avi file, the memory is damaged, the playback interface shows that the video cannot be played, and the log is found to be crashed. This problem may lead to h…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0635

When extracting the incorrectly formatted flv file, the memory is damaged, the playback interface shows that the video cannot be played, and the log is found to be crashed. This problem may lead to h…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0598

In onCreate of ConfirmConnectActivity.java, there is a possible pairing of untrusted Bluetooth devices due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User e…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0595

In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with…

CVSS: 7.8 CWE: CWE-287 - Improper Authentication View on NVD
2021-10-04
Low

CVE-2021-41861

The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the…

CVSS: 3.3 CWE: N/A View on NVD
2021-09-29
High

CVE-2021-41034

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks th…

CVSS: 8.1 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD