{"id":"ASB-A-242040055", "published":"2023-04-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2023-21092", "A-242040055"], "details":"In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13-next:0"}, {"fixed":"13-next:2023-04-01"}]}], "versions":["13-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0"], "severity":"High", "spl":"2023-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"216548716323191802951229366658254318471", "length":8820}, "id":"ASB-A-242040055-57be390e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java", "function":"retrieveServiceLocked"}}, {"deprecated":false, "digest":{"line_hashes":["55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084"], "threshold":0.9}, "id":"ASB-A-242040055-974fe156", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/790a8d0dd329460bc60456681cb446accf2a27e0", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-04-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130"], "severity":"High", "spl":"2023-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"201736581176026588707715363377540875288", "length":7321}, "id":"ASB-A-242040055-17970a8d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java", "function":"retrieveServiceLocked"}}, {"deprecated":false, "digest":{"line_hashes":["55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084"], "threshold":0.9}, "id":"ASB-A-242040055-e53d1fdb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4f0dc37b896e06086391e71ce471e413215e1130", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-04-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589"], "severity":"High", "spl":"2023-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084"], "threshold":0.9}, "id":"ASB-A-242040055-78058151", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"}}, {"deprecated":false, "digest":{"function_hash":"58200418806009731186248907486968895829", "length":8362}, "id":"ASB-A-242040055-c373130f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8460609f01147d2a7e849eca1ca895211530b589", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java", "function":"retrieveServiceLocked"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-04-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"], "severity":"High", "spl":"2023-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"58200418806009731186248907486968895829", "length":8362}, "id":"ASB-A-242040055-2b882130", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java", "function":"retrieveServiceLocked"}}, {"deprecated":false, "digest":{"line_hashes":["55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084"], "threshold":0.9}, "id":"ASB-A-242040055-65b672aa", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-04-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460"], "severity":"High", "spl":"2023-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"58200418806009731186248907486968895829", "length":8362}, "id":"ASB-A-242040055-3ed434eb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java", "function":"retrieveServiceLocked"}}, {"deprecated":false, "digest":{"line_hashes":["55588285223667247134227640611154823163", "207445359602225235167182124341087884773", "233467424907378942754521188775349457677", "86491822422217330916939975194732782084"], "threshold":0.9}, "id":"ASB-A-242040055-78448841", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8bf1ae31eec0a5673dd55896e7b6de5e0bbe0460", "target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-04-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/cdd30b5c040ba7ebd0a1cc6009183ff602434fc0"}]}