{"id":"ASB-A-281061287","details":"In forceReplaceShortcutInner of ShortcutPackage.java, there is a possible way to register unlimited packages due to a missing bounds check. This could lead to local denial of service which results in a boot loop with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-281061287","CVE-2023-40075"],"modified":"2026-05-26T15:46:26.044149249Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/ae768fbb9975fdab267f525831cb52f485ab0ecc"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"spl":"2023-12-01","types":["DoS"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"],"severity":"High","vanir_signatures":[{"signature_type":"Line","id":"ASB-A-281061287-83788f56","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","308728855881366338611251931444619050660","188289724923926477708120317160316156172","44614394285164625813598547672783867506","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","45358171669273888812659535669192814796"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","digest":{"length":1528,"function_hash":"334976330244219875878723607817575569924"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-987a18fd","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"forceReplaceShortcutInner","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-ef716b0c","digest":{"length":200,"function_hash":"25517847561716758263126889563997043673"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-12-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2023-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7"],"types":["DoS"],"severity":"High","vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","203701812653124260786088409224808533408","303542053167480856875165221117970394146","190853302074390725425840266950682255074","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","245015905893707368514028808955757503038"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7","deprecated":false,"id":"ASB-A-281061287-0c1f105c","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","signature_version":"v1","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java","function":"forceReplaceShortcutInner"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7","deprecated":false,"id":"ASB-A-281061287-2a07e5e2","digest":{"length":236,"function_hash":"159109076582546941070176486697659532569"}},{"signature_type":"Function","id":"ASB-A-281061287-6352b9f5","digest":{"length":1171,"function_hash":"287786783413334123543829213843353028849"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2d93aabdc4905b36ee684533904029cfc61533b7","deprecated":false,"signature_version":"v1","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-12-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2023-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"],"types":["DoS"],"severity":"High","vanir_signatures":[{"signature_type":"Line","id":"ASB-A-281061287-3006c118","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","308728855881366338611251931444619050660","188289724923926477708120317160316156172","44614394285164625813598547672783867506","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","45358171669273888812659535669192814796"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","id":"ASB-A-281061287-a79e7589","digest":{"length":1528,"function_hash":"334976330244219875878723607817575569924"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"signature_version":"v1","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","signature_version":"v1","target":{"function":"forceReplaceShortcutInner","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-bf1fe3d4","digest":{"length":200,"function_hash":"25517847561716758263126889563997043673"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2023-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"],"types":["DoS"],"severity":"High","vanir_signatures":[{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","308728855881366338611251931444619050660","188289724923926477708120317160316156172","44614394285164625813598547672783867506","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","45358171669273888812659535669192814796"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-724219f5","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","id":"ASB-A-281061287-a3cdd939","digest":{"length":200,"function_hash":"25517847561716758263126889563997043673"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"signature_version":"v1","target":{"function":"forceReplaceShortcutInner","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-d644e870","digest":{"length":1528,"function_hash":"334976330244219875878723607817575569924"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-12-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2023-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"],"types":["DoS"],"severity":"High","vanir_signatures":[{"signature_type":"Function","signature_version":"v1","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-2c308b4c","digest":{"length":1528,"function_hash":"334976330244219875878723607817575569924"}},{"signature_type":"Line","signature_version":"v1","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-9e99c298","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","308728855881366338611251931444619050660","188289724923926477708120317160316156172","44614394285164625813598547672783867506","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","45358171669273888812659535669192814796"]}},{"signature_type":"Function","digest":{"length":200,"function_hash":"25517847561716758263126889563997043673"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-af13675e","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java","function":"forceReplaceShortcutInner"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2023-12-01","types":["DoS"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227"],"severity":"High","vanir_signatures":[{"signature_type":"Function","id":"ASB-A-281061287-b4a3fb74","digest":{"length":200,"function_hash":"25517847561716758263126889563997043673"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"signature_version":"v1","target":{"function":"forceReplaceShortcutInner","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}},{"signature_type":"Function","target":{"function":"pushDynamicShortcut","file":"services/core/java/com/android/server/pm/ShortcutPackage.java"},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-b71264d0","digest":{"length":1528,"function_hash":"334976330244219875878723607817575569924"}},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["16700796221960876658047075062901820845","308728855881366338611251931444619050660","188289724923926477708120317160316156172","44614394285164625813598547672783867506","206105765535832684862210061196108387550","129098121925743220798425757674504911517","165883179787575822188781207300394552354","45358171669273888812659535669192814796"]},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/3215e73e36aa0463429226b5743ce24badf31227","deprecated":false,"id":"ASB-A-281061287-dd9e0748","target":{"file":"services/core/java/com/android/server/pm/ShortcutPackage.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-281061287.json"}}],"schema_version":"1.7.5"}