In placeCall of TelecomManager.java, there is a possible way for an application to keep itself running with foreground service importance due to a permissions bypass.…

In mPreference of DefaultUsbConfigurationPreferenceController.java, there is a possible way to enable file transfer mode due to a logic error in the code. This could lead…

In getAvailabilityStatus of PrivateDnsPreferenceController.java, there is a possible way for a guest user to change private DNS settings due to a permissions bypass. This could…

In getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local…

In l2cble_process_sig_cmd of l2c_ble.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure…

In various functions of the USB gadget subsystem, there is a possible out of bounds write due to a missing bounds check. This could lead…

In mmc_blk_read_single of block.c, there is a possible way to read kernel heap memory due to uninitialized data. This could lead to local information disclosure…

In startActivityForAttachedApplicationIfNeeded of RootWindowContainer.java, there is a possible way to overlay an app that believes it’s still in the foreground, when it is not, due…

In several functions of KeyguardServiceWrapper.java and related files,, there is a possible way to briefly view what’s under the lockscreen due to a race condition.…

In validateApkInstallLocked of PackageInstallerSession.java, there is a way to force a mismatch between running code and a parsed APK . This could lead to local…