{"id":"ASB-A-235823542","details":"In deliverOnFlushComplete of LocationProviderManager.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-235823542","CVE-2023-21088"],"modified":"2026-04-30T15:48:46.890647Z","published":"2023-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/0924de4965f93f5a880754bcc2819a890fd45f0e"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-04-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-04-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/0a172367c32858a314f95895908d717bd74ace21"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/0a172367c32858a314f95895908d717bd74ace21","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java"},"id":"ASB-A-235823542-64c09d67","digest":{"threshold":0.9,"line_hashes":["326163088799272800982484615924156242297","265673845877076413619296124225614798221","54134849502702392557355762057910973959","99407063306781831102421226536097530733"]},"signature_version":"v1"},{"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/0a172367c32858a314f95895908d717bd74ace21","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java","function":"deliverOnFlushComplete"},"id":"ASB-A-235823542-cdf66d83","digest":{"length":284,"function_hash":"21113831002185242309230079022666853382"},"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235823542.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-04-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-04-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/750af79d5ccb282bb79ef40932858fbae801a48b"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/750af79d5ccb282bb79ef40932858fbae801a48b","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java","function":"deliverOnFlushComplete"},"id":"ASB-A-235823542-5e66ad4b","digest":{"length":284,"function_hash":"21113831002185242309230079022666853382"},"signature_version":"v1"},{"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/750af79d5ccb282bb79ef40932858fbae801a48b","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java"},"id":"ASB-A-235823542-abd02f79","digest":{"threshold":0.9,"line_hashes":["326163088799272800982484615924156242297","265673845877076413619296124225614798221","54134849502702392557355762057910973959","99407063306781831102421226536097530733"]},"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235823542.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-04-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-04-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/11a9a5a08e6068fcc20bb3195cb179da0b6fc8c4"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/11a9a5a08e6068fcc20bb3195cb179da0b6fc8c4","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java","function":"deliverOnFlushComplete"},"id":"ASB-A-235823542-8b51a8a0","digest":{"length":284,"function_hash":"21113831002185242309230079022666853382"},"signature_version":"v1"},{"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/11a9a5a08e6068fcc20bb3195cb179da0b6fc8c4","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java"},"id":"ASB-A-235823542-fd575d18","digest":{"threshold":0.9,"line_hashes":["326163088799272800982484615924156242297","265673845877076413619296124225614798221","54134849502702392557355762057910973959","99407063306781831102421226536097530733"]},"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235823542.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-04-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-04-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/80bc46c48cb693ede724fac070a87df30d813efc"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/80bc46c48cb693ede724fac070a87df30d813efc","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java"},"id":"ASB-A-235823542-901a5864","digest":{"threshold":0.9,"line_hashes":["326163088799272800982484615924156242297","265673845877076413619296124225614798221","54134849502702392557355762057910973959","99407063306781831102421226536097530733"]},"signature_version":"v1"},{"signature_type":"Function","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/80bc46c48cb693ede724fac070a87df30d813efc","target":{"file":"services/core/java/com/android/server/location/provider/LocationProviderManager.java","function":"deliverOnFlushComplete"},"id":"ASB-A-235823542-b5af91fb","digest":{"length":284,"function_hash":"21113831002185242309230079022666853382"},"signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-235823542.json"}}],"schema_version":"1.7.5"}