Multiple vulnerabilities in Google Android

1) Buffer overflow

EUVDB-ID: #VU51889

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11237

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in Modem when accessing histogram type KPI input received due to lack of check of histogram definition before accessing it. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of insufficiently random values

EUVDB-ID: #VU49150

Risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-25705

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: Yes

The vulnerability allows a remote attacker to gain access to sensitive information.

A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Use-after-free

EUVDB-ID: #VU51882

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11234

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in Data HLOS when sending a socket event message to a user application. A malicious application can pass invalid information, if socket is freed by another thread, trigger a use-after-free error and escalate privileges on the system.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU51886

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11210

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in RPM region due to improper XPU configuration. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Out-of-bounds read

EUVDB-ID: #VU51887

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11191

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing SDP packets in Data Modem. A remote attacker can send specially crafted SDP packets to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Buffer overflow

EUVDB-ID: #VU51888

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11236

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to invalid value of total dimension in the non-histogram type KPI in Modem. A malicious application can trigger memory corruption and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU51890

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11242

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect argument into address range validation api used in SDI to capture requested contents. A local user can gain access to secure memory and elevate privileges on the system.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Detection of Error Condition Without Action

EUVDB-ID: #VU51891

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11243

CWE-ID: N/A

Exploit availability: No

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in LTE module due to RRC sends a connection establishment success to NAS even though connection setup validation returns failure. A remote attacker can perform a denial of service attack.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Integer overflow

EUVDB-ID: #VU51892

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11245

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to unintended reads and writes by NS EL2 in access control driver. A malicious application can trigger integer overflow and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Double Free

EUVDB-ID: #VU51883

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11246

CWE-ID: CWE-415 - Double Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in Digital Rights Management when the device moves to suspend mode during secure playback. A malicious application can can trigger a double free error and execute arbitrary code with elevated privileges.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Out-of-bounds read

EUVDB-ID: #VU51893

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11247

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition while unpacking data in Data Modem. A remote attacker can send specially crafted packets to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Out-of-bounds read

EUVDB-ID: #VU51894

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11251

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing DTMF payload in Data Modem. A remote attacker can send specially crafted data to the system, trigger out-of-bounds read error and read contents of memory on the system or crash it.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper access control

EUVDB-ID: #VU51895

Risk: Low

CVSSv3.1: 2.2 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11252

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions during trustzone initialization, as xPU get disabled when memory dumps are enabled. A local user can gain access to sensitive information on the system.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Memory leak

EUVDB-ID: #VU51896

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-11255

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing RTCP packets containing multiple SDES reports in Data Modem. A remote attacker can send specially crafted RTCP packets to the system and perform denial of service attack.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Use-after-free

EUVDB-ID: #VU51897

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15436

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in fs/block_dev.c in the Linux kernel. A local user can run a specially crafted program to escalate privileges on the system.

Install update from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Security restrictions bypass

EUVDB-ID: #VU51906

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0444

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Security restrictions bypass

EUVDB-ID: #VU51905

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0443

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Security restrictions bypass

EUVDB-ID: #VU51904

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0438

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 10 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Security restrictions bypass

EUVDB-ID: #VU51903

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0442

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Security restrictions bypass

EUVDB-ID: #VU51902

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0439

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Security restrictions bypass

EUVDB-ID: #VU51901

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0432

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Statsd in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Security restrictions bypass

EUVDB-ID: #VU51900

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0427

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Statsd in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Security restrictions bypass

EUVDB-ID: #VU51899

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0426

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Statsd in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Security restrictions bypass

EUVDB-ID: #VU51898

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0400

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows an attacker to bypass implemented security restrictions.

The vulnerability exists in Android Framework component due to incorrect privilege management. An attacker can bypass implemented security restrictions and gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Security restrictions bypass

EUVDB-ID: #VU51918

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0468

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to unspecified error in MediaTek component. A local user can gain access to otherwise restricted functionality.

Install updates from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Information disclosure

EUVDB-ID: #VU51917

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0428

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error in System component. A local user can gain access to sensitive information.

Install updates from vendor's website.

Google Android: before 10 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Security restrictions bypass

EUVDB-ID: #VU51916

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0445

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the System component does not properly impose security restrictions. A local application can run a specially crafted code to bypass user interaction requirements and gain access to additional permissions.

Install updates from vendor's website.

Google Android: before 11 2021-04-05

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Security restrictions bypass

EUVDB-ID: #VU51915

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0435

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions within the System component. A local user can run a specially crafted code to bypass implemented security restrictions.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Security restrictions bypass

EUVDB-ID: #VU51914

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0446

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions within the System component. A local user can run a specially crafted code to bypass implemented security restrictions.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Security restrictions bypass

EUVDB-ID: #VU51913

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0431

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions within the System component. A local user can run a specially crafted code to bypass implemented security restrictions.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Security restrictions bypass

EUVDB-ID: #VU51912

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0433

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions within the System component. A local user can run a specially crafted code to bypass implemented security restrictions.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Security restrictions bypass

EUVDB-ID: #VU51911

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0429

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions within the System component. A local user can run a specially crafted code to bypass implemented security restrictions.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Buffer overflow

EUVDB-ID: #VU51910

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0430

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing certain files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Information disclosure

EUVDB-ID: #VU51909

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0471

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to unspecified error in Media Framework component. A local user can gain access to sensitive information on the system.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Information disclosure

EUVDB-ID: #VU51908

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0436

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to unspecified error in Media Framework component. A local user can gain access to sensitive information on the system.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Security restrictions bypass

EUVDB-ID: #VU51907

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-0437

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions in Media Framework. A local user can run a specially crafted application to bypass user interaction requirements and gain additional permissions on the system.

Install updates from vendor's website.

Google Android: before 11 2021-04-01

http://source.android.com/security/bulletin/2021-04-01

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.