{"id":"ASB-A-254736794","details":"In getCurrentState of OneTimePermissionUserManager.java, there is a possible way to hold one-time permissions after the app is being killed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-254736794","CVE-2023-21254"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2023-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/fa539c85503dc63bfb53c76b6f12b3549f14a709"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-07-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7","target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java","function":"getCurrentState"},"signature_type":"Function","id":"ASB-A-254736794-150db067","digest":{"function_hash":"286731377711939635674905074908431232409","length":230},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7","signature_version":"v1","signature_type":"Line","id":"ASB-A-254736794-185febc0","digest":{"threshold":0.9,"line_hashes":["2012088019728896796373346529697119661","95794887678244685017967769009345707309","269473325157219616924923563745773375448","154820972000404752573118643516014957341","169098446295692466798229884776274637005","67219821689456268388489880111183157946","81611614958380172139615727478591205864","225201598122517943733666693027874673645","237205250153135466490122010482236680762","258373914556850159813516484305773392827","125910280071661462423652500860628301922","113538152592414822415748897100386305573","233144689361163071165913764396211623748","272268049520737346018390666615642509419","327200272399841684421769554567479185010","197512901002234036421909392540332515687","48230772581453563322002997973370902025","231488850382554498332132733718306136571","105095112724300480145608650652271240823","238399159099680063683957948576794709363","151419067622790176455733014614730665027","301034873234891899052665121603635606246","250514607572004205542612161216221479765","247503341480896072712975524814651163330"]},"target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"},"deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/a5c6abbdf084fddc7d511faed911e97ff80bf3a7","signature_version":"v1","signature_type":"Function","id":"ASB-A-254736794-b35f72e7","digest":{"function_hash":"66636180706436326696362511061246090529","length":290},"target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java","function":"OneTimePermissionUserManager"},"deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-254736794.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-07-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-07-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3","signature_version":"v1","signature_type":"Line","id":"ASB-A-254736794-098c99e5","digest":{"threshold":0.9,"line_hashes":["2012088019728896796373346529697119661","95794887678244685017967769009345707309","269473325157219616924923563745773375448","154820972000404752573118643516014957341","104213317420452091492353394712202028201","115008296082753412527057053867333611588","327946308160344602239660896448104314510","225201598122517943733666693027874673645","237205250153135466490122010482236680762","258373914556850159813516484305773392827","125910280071661462423652500860628301922","113538152592414822415748897100386305573","233144689361163071165913764396211623748","39614901207402222558656648053840086968","69252160723633962585538215955562754152","197512901002234036421909392540332515687","48230772581453563322002997973370902025","231488850382554498332132733718306136571","105095112724300480145608650652271240823","238399159099680063683957948576794709363","151419067622790176455733014614730665027","301034873234891899052665121603635606246","250514607572004205542612161216221479765","247503341480896072712975524814651163330"]},"target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java"},"deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3","target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java","function":"getCurrentState"},"signature_type":"Function","id":"ASB-A-254736794-5294ec01","digest":{"function_hash":"286731377711939635674905074908431232409","length":230},"signature_version":"v1","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/e836611f3057cf9eae589a34a39fe80d0a9145f3","target":{"file":"services/core/java/com/android/server/pm/permission/OneTimePermissionUserManager.java","function":"OneTimePermissionUserManager"},"signature_type":"Function","id":"ASB-A-254736794-7993dbd8","digest":{"function_hash":"189535468120640384763674111584510550352","length":265},"signature_version":"v1","deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-254736794.json"}}],"schema_version":"1.7.5"}