{"id":"ASB-A-303835719","details":"In createPendingIntent of CredentialManagerUi.java, there is a possible way to access credentials from other users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-303835719","CVE-2023-40076"],"modified":"2026-04-27T15:40:08.012512Z","published":"2023-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/9b68987df85b681f9362a3cadca6496796d23bbc"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2023-12-01"}]}],"versions":["14-next"],"ecosystem_specific":{"severity":"Critical","fixes":["https://android.googlesource.com/platform/frameworks/base/+/a75c8e7b68f9d3ff0eac572190fe2894a768345c"],"spl":"2023-12-01","types":["ID"],"vanir_signatures":[{"digest":{"line_hashes":["234226084091455057821822888718178801183","48161601445990499557773743744981487220","9581925943886986278467702403361556315","158744577728783833093806905123284310058","286497149840698911614324456572265522908","59805238393357666331782590915338340853","335502741726855472299662573893601181343","331794043557624844489300745738168591998"],"threshold":0.9},"id":"ASB-A-303835719-7c4531d3","deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/a75c8e7b68f9d3ff0eac572190fe2894a768345c","target":{"file":"services/credentials/java/com/android/server/credentials/CredentialManagerUi.java"}},{"digest":{"length":659,"function_hash":"233515573312489756185313986520921498802"},"id":"ASB-A-303835719-a03475a6","deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/a75c8e7b68f9d3ff0eac572190fe2894a768345c","target":{"file":"services/credentials/java/com/android/server/credentials/CredentialManagerUi.java","function":"createPendingIntent"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-303835719.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2023-12-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"Critical","fixes":["https://android.googlesource.com/platform/frameworks/base/+/b9c5b0f408250faa2d8dadd7d2ba8beeb88ea463"],"spl":"2023-12-01","types":["ID"],"vanir_signatures":[{"digest":{"length":659,"function_hash":"233515573312489756185313986520921498802"},"id":"ASB-A-303835719-5ec58328","deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/b9c5b0f408250faa2d8dadd7d2ba8beeb88ea463","target":{"file":"services/credentials/java/com/android/server/credentials/CredentialManagerUi.java","function":"createPendingIntent"}},{"digest":{"line_hashes":["234226084091455057821822888718178801183","48161601445990499557773743744981487220","9581925943886986278467702403361556315","158744577728783833093806905123284310058","286497149840698911614324456572265522908","59805238393357666331782590915338340853","335502741726855472299662573893601181343","331794043557624844489300745738168591998"],"threshold":0.9},"id":"ASB-A-303835719-d1183d65","deprecated":false,"signature_version":"v1","signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/b9c5b0f408250faa2d8dadd7d2ba8beeb88ea463","target":{"file":"services/credentials/java/com/android/server/credentials/CredentialManagerUi.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-303835719.json"}}],"schema_version":"1.7.5"}