CVE-2021-39701

Name of the Vulnerable Software and Affected Versions Android versions Android-11 through Android-12

Description The issue is related to improper input validation in the serviceConnection of ControlsProviderLifecycleManager.kt, allowing a service to run in the foreground without notification or permission. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is required for exploitation.

Recommendations For Android versions Android-11 through Android-12, consider restricting the use of the vulnerable serviceConnection in ControlsProviderLifecycleManager.kt to minimize the risk of exploitation. As a temporary workaround, limit the ability of services to run in the foreground without proper notification or permission until a fix is available.