CVE-2026-3669
Received Received - Intake
Improper Authorization in Freedom Factory dGEN1 AlarmService

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in Freedom Factory dGEN1 up to 20260221. This impacts the function AlarmService of the component com.dgen.alarm. Such manipulation leads to improper authorization. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3669
EUVD
EUVD-2026-10186
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freedom_factory dgen1 to 20260221 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3669 is an improper authorization vulnerability in the Freedom Factory dGEN1 device, specifically affecting the AlarmService function within the com.dgen.alarm component.

The vulnerability arises because an exported BroadcastReceiver named StopReceiver is enabled without any permission enforcement or caller identity validation. This allows any local application on the device to send broadcast intents to StopReceiver and perform privileged actions such as stopping the AlarmService, cancelling active alarm notifications, and cancelling scheduled alarms without authorization.

The attack requires local access, meaning a malicious app must be installed on the device, but no special permissions or root access are needed. This flaw leads to a broken authorization scenario where unauthorized apps can manipulate alarm functions.

Impact Analysis

This vulnerability allows a malicious local application to silently stop ringing alarms, dismiss alarm notifications, and cancel scheduled alarms without user knowledge or interaction.

As a result, users may miss critical wake alarms, reminders, or other time-sensitive notifications, effectively causing a denial-of-service condition on alarm functionality.

There is no direct access to user data or privilege escalation observed, but the impact on alarm reliability can affect user safety and daily routines.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the Freedom Factory dGEN1 device locally by exploiting an exported BroadcastReceiver named StopReceiver within the com.dgen.alarm.service package. Detection involves checking if the StopReceiver component is exported without permission enforcement or caller validation.

  • On the affected device, use Android debugging tools (adb) to inspect the app manifest for the exported BroadcastReceiver. For example, run: `adb shell dumpsys package com.dgen.alarm | grep StopReceiver` to verify if StopReceiver is exported.
  • Check for the presence of the exported BroadcastReceiver with no permission enforcement by extracting and reviewing the AndroidManifest.xml of the com.dgen.alarm app.
  • Monitor local app broadcasts targeting StopReceiver to detect unauthorized intents that stop alarms or cancel notifications.
Mitigation Strategies

[{'type': 'paragraph', 'content': 'There are no known official mitigations or patches from the vendor as they did not respond to the disclosure. Immediate mitigation involves restricting access to the vulnerable component.'}, {'type': 'list_item', 'content': 'If you have control over the device or app, set `android:exported="false"` on the StopReceiver BroadcastReceiver to prevent external apps from sending broadcast intents.'}, {'type': 'list_item', 'content': 'Enforce a signature-level custom permission on the StopReceiver to restrict which apps can interact with it.'}, {'type': 'list_item', 'content': 'Implement caller identity validation in the StopReceiver code using `Binder.getCallingUid()` and verify package signatures to ensure only authorized callers can control the AlarmService.'}, {'type': 'list_item', 'content': 'Consider replacing the affected product as no vendor fix is available and the vulnerability is easy to exploit locally.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3669. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart