CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 21/76 • 9114 CVEs.

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-06-21
High

CVE-2021-0532

In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0531

In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0530

In memory management driver, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User i…

CVSS: 7.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-0529

In memory management driver, there is a possible memory corruption due to improper locking. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-667 - Improper Locking View on NVD
High

CVE-2021-0528

In memory management driver, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interact…

CVSS: 7.8 CWE: CWE-415 - Double Free View on NVD
High

CVE-2021-0527

In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0526

In memory management driver, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User i…

CVSS: 7.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-0525

In memory management driver, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User int…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0523

In onCreate of WifiScanModeActivity.java, there is a possible way to enable Wi-Fi scanning without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege wi…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0522

In ConnectionHandler::SdpCb of connection_handler.cc, there is a possible out of bounds read due to a use after free. This could lead to remote information disclosure with no additional execution pri…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2021-0521

In getAllPackages of PackageManagerService, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure of cross-user permissions wit…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0520

In several functions of MemoryFileSystem.cpp and related files, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional executi…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0517

In updateCapabilities of ConnectivityService.java, there is a possible incorrect network state determination due to a logic error in the code. This could lead to biasing of networking tasks to occur…

CVSS: 7.5 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
Critical

CVE-2021-0516

In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution priv…

CVSS: 9.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0513

In deleteNotificationChannel and related functions of NotificationManagerService.java, there is a possible permission bypass due to improper state validation. This could lead to local escalation of p…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0512

In __hidinput_change_resolution_multipliers of hid-input.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0511

In Dex2oat of dex2oat.cc, there is a possible way to inject bytecode into an app due to improper input validation. This could lead to local escalation of privilege with no additional execution privil…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0510

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed…

CVSS: 7.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2021-0509

In various functions of CryptoPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed.…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0508

In various functions of DrmPlugin.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. Use…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0507

In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution pri…

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0506

In ActivityPicker.java, there is a possible bypass of user interaction in intent resolution due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution pr…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0505

In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges ne…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0504

In avrc_pars_browse_rsp of avrc_pars_ct.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure over Bluetooth with no additional ex…

CVSS: 6.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
High

CVE-2021-0478

In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services withou…

CVSS: 7.8 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
2021-06-17
Medium

CVE-2021-32694

Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught…

CVSS: 4.1 CWE: CWE-248 - Uncaught Exception View on NVD
Low

CVE-2021-32695

Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android…

CVSS: 3.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-06-16
High

CVE-2021-32612

The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-06-14
Medium

CVE-2021-0467

In Chromecast bootROM, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege in the bootloader, with physical USB access, with no…

CVSS: 6.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Critical

CVE-2021-0324

Product: AndroidVersions: Android SoCAndroid ID: A-175402462

CVSS: 9.8 CWE: N/A View on NVD
2021-06-11
High

CVE-2021-0498

In memory management driver, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interact…

CVSS: 7.8 CWE: CWE-415 - Double Free View on NVD
High

CVE-2021-0497

In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0496

In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0495

In memory management driver, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User i…

CVSS: 7.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-0494

In memory management driver, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User…

CVSS: 7.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2021-0493

In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Us…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0492

In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Us…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0491

In memory management driver, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges ne…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0490

In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Us…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0489

In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. Us…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0487

In onCreate of CalendarDebugActivity.java, there is a possible way to export calendar data to the sdcard without user consent due to a tapjacking/overlay attack. This could lead to local escalation o…

CVSS: 7.8 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0485

In getMinimalSize of PipBoundsAlgorithm.java, there is a possible bypass of restrictions on background processes due to a permissions bypass. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-0484

In readVector of IMediaPlayer.cpp, there is a possible read of uninitialized heap data due to a missing bounds check. This could lead to local information disclosure with no additional execution priv…

CVSS: 5.5 CWE: CWE-909 - Missing Initialization of Resource View on NVD
High

CVE-2021-0482

In BinderDiedCallback of MediaCodec.cpp, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed…

CVSS: 7.0 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0481

In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additi…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-0480

In createPendingIntent of SnoozeHelper.java, there is a possible broadcast intent containing a sensitive identifier. This could lead to local information disclosure with no additional execution privi…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0477

In notifyScreenshotError of ScreenshotNotificationsController.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User ex…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2021-0476

In FindOrCreatePeer of btif_av.cc, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User in…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0475

In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privilege…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
Critical

CVE-2021-0474

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0473

In rw_t3t_process_error of rw_t3t.cc, there is a possible double free due to uninitialized data. This could lead to remote code execution over NFC with no additional execution privileges needed. User…

CVSS: 8.8 CWE: CWE-908 - Use of Uninitialized Resource View on NVD
High

CVE-2021-0472

In shouldLockKeyguard of LockTaskController.java, there is a possible way to exit App Pinning without a PIN due to a permissions bypass. This could lead to local escalation of privilege with no addit…

CVSS: 7.8 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-0466

In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additio…

CVSS: 7.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
Medium

CVE-2019-9475

In /proc/net of the kernel filesystem, there is a possible information leak due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed…

CVSS: 5.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
Medium

CVE-2021-22905

Nextcloud Android App (com.nextcloud.client) before v3.16.0 is vulnerable to information disclosure due to searches for sharees being performed by default on the lookup server instead of only using t…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2021-25403

Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provid…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2021-24035

A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite Wh…

CVSS: 9.1 CWE: CWE-23 - Relative Path Traversal View on NVD
2021-06-09
Medium

CVE-2021-20732

The ATOM (ATOM - Smart life App for Android versions prior to 1.8.1 and ATOM - Smart life App for iOS versions prior to 1.8.2) does not verify server certificate properly, which allows man-in-the-mid…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-20728

Improper access control vulnerability in goo blog App for Android ver.1.2.25 and earlier and for iOS ver.1.3.3 and earlier allows a remote attacker to lead a user to access an arbitrary website via t…

CVSS: 5.3 CWE: N/A View on NVD
2021-06-08
Medium

CVE-2021-32658

Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This c…

CVSS: 4.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-06-07
Medium

CVE-2021-30540

Incorrect security UI in payments in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CVSS: 6.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2021-30528

Use after free in WebAuthentication in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker who had compromised the renderer process of a user who had saved a credit card in their…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-30521

Heap buffer overflow in Autofill in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.

CVSS: 8.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2021-06-04
High

CVE-2021-30507

Inappropriate implementation in Offline in Google Chrome on Android prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HT…

CVSS: 8.8 CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere View on NVD
High

CVE-2021-30506

Incorrect security UI in Web App Installs in Google Chrome on Android prior to 90.0.4430.212 allowed an attacker who convinced a user to install a web application to inject scripts or HTML into a pri…

CVSS: 8.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
High

CVE-2021-33839

Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because the QR code of a Public Location can be intentionally confused with the QR code o…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2021-33838

Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because requests related to Check-In State occur shortly after requests for Phone Number…

CVSS: 7.5 CWE: CWE-203 - Observable Discrepancy View on NVD
2021-05-18
Medium

CVE-2021-31323

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LottieParserImpl::parseDashProperty function of their custom fork of the rlott…

CVSS: 5.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-31322

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A…

CVSS: 5.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-31321

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the gray_split_cubic function of their custom fork of the rlottie library. A remot…

CVSS: 7.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-31320

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Heap Buffer Overflow in the VGradientCache::generateGradientColorTable function of their custom fork of th…

CVSS: 7.1 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-31319

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by an Integer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A rem…

CVSS: 5.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Medium

CVE-2021-31318

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function of their custom fork of the rlottie libr…

CVSS: 5.5 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
Medium

CVE-2021-31317

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Type Confusion in the VDasher constructor of their custom fork of the rlottie library. A remote attacker m…

CVSS: 5.5 CWE: CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion') View on NVD
Medium

CVE-2021-31315

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by a Stack Based Overflow in the blit function of their custom fork of the rlottie library. A remote attacker m…

CVSS: 5.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2021-05-06
Medium

CVE-2021-27941

Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically p…

CVSS: 4.6 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2021-04-30
Medium

CVE-2021-21229

Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CVSS: 6.5 CWE: CWE-346 - Origin Validation Error View on NVD
2021-04-28
Low

CVE-2021-31815

GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on Android allows attackers to obtain sensitive information, such as a user's location history, in-person social graph, and (sometime…

CVSS: 3.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2021-04-27
Medium

CVE-2021-20715

Improper access control vulnerability in Hot Pepper Gourmet App for Android ver.4.111.0 and earlier, and for iOS ver.4.111.0 and earlier allows a remote attacker to lead a user to access an arbitrary…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
2021-04-26
High

CVE-2021-20693

Improper access control vulnerability in Gurunavi App for Android ver.10.0.10 and earlier and for iOS ver.11.1.2 and earlier allows a remote attacker to lead a user to access an arbitrary website via…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-04-15
Medium

CVE-2021-0488

In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User inter…

CVSS: 6.7 CWE: CWE-787 - Out-of-bounds Write View on NVD
2021-04-13
Medium

CVE-2021-29370

A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any websit…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2021-0471

In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with no additional execution privileges needed.…

CVSS: 5.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2021-0468

In LK, there is a possible escalation of privilege due to an insecure default value. This could lead to local escalation of privilege for an attacker who has physical access to the device with no add…

CVSS: 6.6 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
High

CVE-2021-0446

In ImportVCardActivity, there is a possible way to bypass user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0445

In start of WelcomeActivity.java, there is a possible residual profile due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0444

In onActivityResult of QuickContactActivity.java, there is an unnecessary return of an intent. This could lead to local information disclosure of contact data with no additional execution privileges…

CVSS: 5.5 CWE: N/A View on NVD
Medium

CVE-2021-0443

In several functions of ScreenshotHelper.java and related files, there is a possible incorrectly saved screenshot due to a race condition. This could lead to local information disclosure across user…

CVSS: 4.7 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0442

In updateInfo of android_hardware_input_InputApplicationHandle.cpp, there is a possible control of code flow due to a use after free. This could lead to local escalation of privilege with no addition…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
High

CVE-2021-0439

In setPowerModeWithHandle of com_android_server_power_PowerManagerService.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0438

In several functions of InputDispatcher.cpp, WindowManagerService.java, and related files, there is a possible tapjacking attack due to an incorrect FLAG_OBSCURED value. This could lead to local esca…

CVSS: 7.8 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0437

In setPlayPolicy of DrmPlugin.cpp, there is a possible double free. This could lead to local escalation of privilege in a privileged process with no additional execution privileges needed. User inter…

CVSS: 7.8 CWE: CWE-415 - Double Free View on NVD
Medium

CVE-2021-0436

In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds read due to integer overflow. This could lead to local information disclosure with no additional execution privileges n…

CVSS: 5.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2021-0435

In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges n…

CVSS: 7.5 CWE: CWE-665 - Improper Initialization View on NVD
High

CVE-2021-0433

In onCreate of DeviceChooserActivity.java, there is a possible way to bypass user consent when pairing a Bluetooth device due to a tapjacking/overlay attack. This could lead to local escalation of pr…

CVSS: 8.0 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0432

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with n…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
High

CVE-2021-0431

In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional executio…

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Critical

CVE-2021-0430

In rw_mfc_handle_read_op of rw_mfc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution via a malicious NFC packet with no additional ex…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0429

In pollOnce of ALooper.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interact…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
Medium

CVE-2021-0428

In getSimSerialNumber of TelephonyManager.java, there is a possible way to read a trackable identifier due to a missing permission check. This could lead to local information disclosure with User exe…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0427

In parseExclusiveStateAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2021-0426

In parsePrimaryFieldFirstUidAnnotation of LogEvent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional exec…

CVSS: 7.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-0400

In injectBestLocation and handleUpdateLocation of GnssLocationProvider.java, there is a possible incorrect reporting of location data to emergency services due to improper input validation. This coul…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
2021-04-09
Medium

CVE-2021-25381

Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without…

CVSS: 5.5 CWE: CWE-285 - Improper Authorization View on NVD
Low

CVE-2021-25377

Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.

CVSS: 3.3 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2021-25374

An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remot…

CVSS: 8.6 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2021-25373

Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local a…

CVSS: 5.5 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2021-25357

A pendingIntent hijacking vulnerability in Create Movie prior to SMR APR-2021 Release 1 in Android O(8.x) and P(9.0), 3.4.81.1 in Android Q(10,0), and 3.6.80.7 in Android R(11.0) allows unprivileged…

CVSS: 5.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-04-08
Medium

CVE-2021-1467

A vulnerability in Cisco Webex Meetings for Android could allow an authenticated, remote attacker to modify the avatar of another user. This vulnerability is due to improper authorization checks. An…

CVSS: 4.3 CWE: CWE-284 - Improper Access Control View on NVD
2021-04-06
High

CVE-2021-24027

A cache configuration issue prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 may have allowed a third party with access to the device’s external storage to read c…

CVSS: 7.5 CWE: CWE-524 - Use of Cache Containing Sensitive Information View on NVD
Critical

CVE-2021-24026

A missing bounds check within the audio decoding pipeline for WhatsApp calls in WhatsApp for Android prior to v2.21.3, WhatsApp Business for Android prior to v2.21.3, WhatsApp for iOS prior to v2.21.…

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
Medium

CVE-2021-26833

Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due…

CVSS: 5.9 CWE: CWE-459 - Incomplete Cleanup View on NVD
High

CVE-2020-36284

Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability, allows attackers to shop for free in merchants' websites and mobile apps,…

CVSS: 7.5 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
High

CVE-2021-30162

An issue was discovered on LG mobile devices with Android OS 4.4 through 11 software. Attackers can leverage ISMS services to bypass access control on specific content providers. The LG ID is LVE-SMP…

CVSS: 7.1 CWE: N/A View on NVD
Medium

CVE-2021-30161

An issue was discovered on LG mobile devices with Android OS 11 software. Attackers can bypass the lockscreen protection mechanism after an incoming call has been terminated. The LG ID is LVE-SMP-210…

CVSS: 5.5 CWE: N/A View on NVD
2021-03-29
Critical

CVE-2020-35138

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded encryption key, used to encrypt the submission of username/password details during the authentication process, as demo…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2020-35137

The MobileIron agents through 2021-03-22 for Android and iOS contain a hardcoded API key, used to communicate with the MobileIron SaaS discovery API, as demonstrated by Mobile@Work (aka com.mobileiro…

CVSS: 7.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2021-03-24
High

CVE-2021-21385

Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its…

CVSS: 8.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-03-17
Medium

CVE-2020-35456

The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to view private chat messages and media files via logcat because of excessive logging.

CVSS: 5.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2020-35455

The Taidii Diibear Android application 2.4.0 and all its derivatives allow attackers to obtain user credentials from Shared Preferences and the SQLite database because of insecure data storage.

CVSS: 7.8 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD