{"id":"ASB-A-336323279","details":"In multiple functions of AppOpsService.java, there is a possible way for unprivileged apps to read their own restrictRead app-op states due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-336323279","CVE-2024-34738"],"modified":"2026-05-26T15:46:26.044149249Z","published":"2024-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/21d764807b3dcd402d63e2b4c9fbae1c9965400a"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-08-01"}]}],"versions":["14-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/955e78071ec49139583056e21f612edba6439436"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/955e78071ec49139583056e21f612edba6439436","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java"},"deprecated":false,"signature_version":"v1","signature_type":"Line","id":"ASB-A-336323279-740a03af","digest":{"line_hashes":["155290289070892496713407728111694577272","50170075951158264700055049384867889361","258567789960322506291680570706060849396","103006858551673693882655182545271519297","56677228534642494669783196501344303328","112189945487356966523093960046031247335","152917475649676127471247702203349374973","335050055412409923719135812133370812888","241109627515707857017823944220942304205","173584927456833537101965176588998972260","262573321636468416015759523167358481112","106084232884673639449023698139121871873","54036612676277345232006082715688122333","168460017835466189202053310032604387658","85459535018880413620145867366719225655","224709258165208765206706283495916606041","69030975499120734252832411346976782828","165451476811191297387992421760603219790","90518704425958532938562733404423041300","106383597360031344710587720813957895919","132903626757647226160171190214934149971","34247211009492729252601302964266859890","128449159514436591913288189669887916334"],"threshold":0.9}},{"id":"ASB-A-336323279-7df0ef98","digest":{"length":314,"function_hash":"271341409669458354291250865136426508731"},"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"verifyIncomingOp"},"source":"https://android.googlesource.com/platform/frameworks/base/+/955e78071ec49139583056e21f612edba6439436"},{"digest":{"length":536,"function_hash":"226569947551239069908695777646051432672"},"target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"collectOps"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/955e78071ec49139583056e21f612edba6439436","id":"ASB-A-336323279-8719a508"}],"types":["EoP"],"spl":"2024-08-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-336323279.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-08-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e2471e03e471ed701dd1ac0c6c483f82b0dd22d0"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/e2471e03e471ed701dd1ac0c6c483f82b0dd22d0","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"verifyIncomingOp"},"deprecated":false,"signature_version":"v1","signature_type":"Function","id":"ASB-A-336323279-2c8406c6","digest":{"length":314,"function_hash":"271341409669458354291250865136426508731"}},{"digest":{"length":565,"function_hash":"335229134296342272220671894299133808942"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e2471e03e471ed701dd1ac0c6c483f82b0dd22d0","signature_version":"v1","match_only_versions":["13"],"signature_type":"Function","id":"ASB-A-336323279-ee76bb77","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"collectOps"},"deprecated":false},{"target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java"},"id":"ASB-A-336323279-f76068b7","deprecated":false,"signature_version":"v1","signature_type":"Line","digest":{"line_hashes":["71308875704435778707080096132114324900","36163315088678836445270695673990550056","162957365957927575174812348340271909813","97283526466078414112679262229617318988","56677228534642494669783196501344303328","95530904211242568681832103475495674385","285694059248249154049803579926649887641","249657082229337128205639577339949811868","253772115497832552708570951606569109011","173584927456833537101965176588998972260","262573321636468416015759523167358481112","106084232884673639449023698139121871873","54036612676277345232006082715688122333","168460017835466189202053310032604387658","165451476811191297387992421760603219790","90518704425958532938562733404423041300","106383597360031344710587720813957895919","132903626757647226160171190214934149971","34247211009492729252601302964266859890","128449159514436591913288189669887916334"],"threshold":0.9},"source":"https://android.googlesource.com/platform/frameworks/base/+/e2471e03e471ed701dd1ac0c6c483f82b0dd22d0"}],"types":["EoP"],"spl":"2024-08-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-336323279.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-08-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e31c33ea3586531ca99dd4c6d68a34ce07c1cebb"],"types":["EoP"],"spl":"2024-08-01","vanir_signatures":[{"id":"ASB-A-336323279-297cd822","digest":{"line_hashes":["102237660525299082857892895966305371001","182945194297317478338321406644110804447","172218828561879507384994601065657093002","103006858551673693882655182545271519297","56677228534642494669783196501344303328","47890410113008051836251308443189549034","172080579671667751572132470175614683275","263607453056563888617200606719662511242","259143427029110884523456883122189804226","173584927456833537101965176588998972260","262573321636468416015759523167358481112","106084232884673639449023698139121871873","54036612676277345232006082715688122333","168460017835466189202053310032604387658","165451476811191297387992421760603219790","90518704425958532938562733404423041300","106383597360031344710587720813957895919","132903626757647226160171190214934149971","34247211009492729252601302964266859890","128449159514436591913288189669887916334"],"threshold":0.9},"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e31c33ea3586531ca99dd4c6d68a34ce07c1cebb"},{"id":"ASB-A-336323279-70d572dc","digest":{"length":506,"function_hash":"47136927224431509769238248283072278004"},"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"collectOps"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e31c33ea3586531ca99dd4c6d68a34ce07c1cebb"},{"id":"ASB-A-336323279-ea04cde6","digest":{"length":314,"function_hash":"271341409669458354291250865136426508731"},"deprecated":false,"signature_version":"v1","signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/e31c33ea3586531ca99dd4c6d68a34ce07c1cebb","target":{"file":"services/core/java/com/android/server/appop/AppOpsService.java","function":"verifyIncomingOp"}}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-336323279.json"}}],"schema_version":"1.7.5"}