CVE-2021-39635 — Incorrect Default Permissions in Google Android

CWE-276 — Incorrect Default Permissions4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.1%

top 70.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Android

Timeline

PublishedFeb 11

Latest updateFeb 12

Description

ims_ex is a vendor system service used to manage VoLTE in unisoc devices，But it does not verify the caller's permissions，so that normal apps (No phone permissions) can obtain some VoLTE sensitive information and manage VoLTE calls.Product: AndroidVersions: Android SoCAndroid ID: A-206492634

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

▶googlegoogle/android

🔴Vulnerability Details

GHSA

GHSA-xv84-3fv6-rp2r: ims_ex is a vendor system service used to manage VoLTE in unisoc devices?But it does not verify the caller's permissions?so that normal apps (No phone↗2022-02-12

▶

OSV

CVE-2021-39635: ims_ex is a vendor system service used to manage VoLTE in unisoc devices，But it does not verify the caller's permissions，so that normal apps (No phone↗2022-02-01

▶

📋Vendor Advisories

Android

CVE-2021-39635: ims_ex↗2022-02-01

▶