In notification access permission dialog box, malicious application can embedded a very long service label that overflow the original user prompt and possibly contains mis-leading information to be appeared as a system message for user confirmation.

In multiple functions of io_uring.c, there is a possible kernel memory corruption due to improper locking. This could lead to local escalation of privilege in the kernel with System execution privileges needed. User interaction is not needed for exploitation.

In multiple functions of binder.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In iwnpi server, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with System execution privileges needed.

In hci_server, there is a possible out of bounds read due to a missing bounds check. This could lead to local denial of service with System execution privileges needed.

In FM service, there is a possible missing params check. This could lead to local denial of service with System execution privileges needed.

In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.

In telephony service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.