CVE-2026-3669
Improper Authorization in Freedom Factory dGEN1 AlarmService
Publication date: 2026-03-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freedom_factory | dgen1 | to 20260221 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3669 is an improper authorization vulnerability in the Freedom Factory dGEN1 device, specifically affecting the AlarmService function within the com.dgen.alarm component.
The vulnerability arises because an exported BroadcastReceiver named StopReceiver is enabled without any permission enforcement or caller identity validation. This allows any local application on the device to send broadcast intents to StopReceiver and perform privileged actions such as stopping the AlarmService, cancelling active alarm notifications, and cancelling scheduled alarms without authorization.
The attack requires local access, meaning a malicious app must be installed on the device, but no special permissions or root access are needed. This flaw leads to a broken authorization scenario where unauthorized apps can manipulate alarm functions.
How can this vulnerability impact me? :
This vulnerability allows a malicious local application to silently stop ringing alarms, dismiss alarm notifications, and cancel scheduled alarms without user knowledge or interaction.
As a result, users may miss critical wake alarms, reminders, or other time-sensitive notifications, effectively causing a denial-of-service condition on alarm functionality.
There is no direct access to user data or privilege escalation observed, but the impact on alarm reliability can affect user safety and daily routines.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Freedom Factory dGEN1 device locally by exploiting an exported BroadcastReceiver named StopReceiver within the com.dgen.alarm.service package. Detection involves checking if the StopReceiver component is exported without permission enforcement or caller validation.
- On the affected device, use Android debugging tools (adb) to inspect the app manifest for the exported BroadcastReceiver. For example, run: `adb shell dumpsys package com.dgen.alarm | grep StopReceiver` to verify if StopReceiver is exported.
- Check for the presence of the exported BroadcastReceiver with no permission enforcement by extracting and reviewing the AndroidManifest.xml of the com.dgen.alarm app.
- Monitor local app broadcasts targeting StopReceiver to detect unauthorized intents that stop alarms or cancel notifications.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no known official mitigations or patches from the vendor as they did not respond to the disclosure. Immediate mitigation involves restricting access to the vulnerable component.'}, {'type': 'list_item', 'content': 'If you have control over the device or app, set `android:exported="false"` on the StopReceiver BroadcastReceiver to prevent external apps from sending broadcast intents.'}, {'type': 'list_item', 'content': 'Enforce a signature-level custom permission on the StopReceiver to restrict which apps can interact with it.'}, {'type': 'list_item', 'content': 'Implement caller identity validation in the StopReceiver code using `Binder.getCallingUid()` and verify package signatures to ensure only authorized callers can control the AlarmService.'}, {'type': 'list_item', 'content': 'Consider replacing the affected product as no vendor fix is available and the vulnerability is easy to exploit locally.'}] [1, 2]