{"id":"ASB-A-242040055","details":"In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-242040055","CVE-2023-21092"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2023-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/cdd30b5c040ba7ebd0a1cc6009183ff602434fc0"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-04-01"}]}],"versions":["13-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"length":8820,"function_hash":"216548716323191802951229366658254318471"},"target":{"function":"retrieveServiceLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-57be390e","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0"},{"signature_type":"Line","digest":{"line_hashes":["55588285223667247134227640611154823163","207445359602225235167182124341087884773","233467424907378942754521188775349457677","86491822422217330916939975194732782084"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"signature_version":"v1","id":"ASB-A-242040055-974fe156","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0"}],"severity":"High","spl":"2023-04-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242040055.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-04-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"length":7321,"function_hash":"201736581176026588707715363377540875288"},"target":{"function":"retrieveServiceLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-17970a8d","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130"},{"signature_type":"Line","digest":{"line_hashes":["55588285223667247134227640611154823163","207445359602225235167182124341087884773","233467424907378942754521188775349457677","86491822422217330916939975194732782084"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"signature_version":"v1","id":"ASB-A-242040055-e53d1fdb","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130"}],"severity":"High","spl":"2023-04-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242040055.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-04-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["55588285223667247134227640611154823163","207445359602225235167182124341087884773","233467424907378942754521188775349457677","86491822422217330916939975194732782084"]},"target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-78058151","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589"},{"signature_type":"Function","digest":{"length":8362,"function_hash":"58200418806009731186248907486968895829"},"target":{"function":"retrieveServiceLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-c373130f","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589"}],"severity":"High","spl":"2023-04-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242040055.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-04-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_type":"Function","digest":{"length":8362,"function_hash":"58200418806009731186248907486968895829"},"target":{"function":"retrieveServiceLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-2b882130","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["55588285223667247134227640611154823163","207445359602225235167182124341087884773","233467424907378942754521188775349457677","86491822422217330916939975194732782084"]},"target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-65b672aa","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"}],"spl":"2023-04-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242040055.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-04-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Function","digest":{"length":8362,"function_hash":"58200418806009731186248907486968895829"},"target":{"function":"retrieveServiceLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-3ed434eb","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["55588285223667247134227640611154823163","207445359602225235167182124341087884773","233467424907378942754521188775349457677","86491822422217330916939975194732782084"]},"target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"deprecated":false,"id":"ASB-A-242040055-78448841","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"}],"severity":"High","spl":"2023-04-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242040055.json"}}],"schema_version":"1.7.5"}