CVE-2026-3670
Received Received - Intake
Improper Authorization in Freedom Factory dGEN1 com.dgen.alarm

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in Freedom Factory dGEN1 up to 20260221. Affected is an unknown function of the component com.dgen.alarm. Performing a manipulation results in improper authorization. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3670
EUVD
EUVD-2026-10187
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freedom_factory dgen1 to 20260221 (exc)
freedom_factory dgen_alarm to 20260221 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3670 is an improper authorization vulnerability found in the Freedom Factory dGEN1 device, specifically in the dGEN Alarm application component com.dgen.alarm. The vulnerability arises because certain exported components, such as a BroadcastReceiver and an alarm-setting activity, do not properly verify the identity or permissions of the caller. This allows any local application on the device to silently create, trigger, and repeatedly restart alarms without user consent or authentication.'}, {'type': 'paragraph', 'content': "Technically, the BroadcastReceiver (AlarmReceiver) is exported and listens for alarm trigger broadcasts but does not validate the caller's UID, package, or signature. This enables unauthorized apps to send broadcasts that start the alarm service, which plays alarm sounds indefinitely. Additionally, the alarm-setting activity accepts an intent extra that allows alarm creation without user interaction. The lack of proper lifecycle management in the alarm service causes multiple overlapping alarm sounds, leading to a denial-of-service condition."}] [1, 2, 3]

Impact Analysis

This vulnerability can be exploited by any local application on the affected device to silently set and trigger alarms repeatedly without user interaction or consent. The repeated triggering causes multiple overlapping alarm sounds that play indefinitely, effectively creating a denial-of-service (DoS) condition.

  • Persistent and disruptive alarm sounds that make the device difficult or impossible to use.
  • Potential compromise of system availability due to continuous alarm playback.
  • Loss of user control over alarm functions and device behavior.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability requires local access and involves improper authorization in the com.dgen.alarm component of Freedom Factory dGEN1 devices. Detection involves checking for the presence of the vulnerable exported BroadcastReceiver (com.dgen.alarm.receiver.AlarmReceiver) and exported activities that allow alarm setting without user interaction.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by inspecting the installed applications and their exported components on the device. For example, using Android Debug Bridge (adb) commands to list exported receivers and activities in the com.dgen.alarm package.'}, {'type': 'list_item', 'content': "adb shell pm dump com.dgen.alarm | grep -i 'android:exported=true' - to identify exported components."}, {'type': 'list_item', 'content': 'adb shell dumpsys package com.dgen.alarm - to get detailed package info including exported receivers and activities.'}, {'type': 'list_item', 'content': 'Check for the presence of the BroadcastReceiver named com.dgen.alarm.receiver.AlarmReceiver and verify if it lacks caller validation.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual alarm triggers or persistent alarm sounds without user interaction may indicate exploitation attempts.'}] [3, 2]

Mitigation Strategies

Currently, no official vendor mitigations or patches are available due to lack of vendor response. Immediate mitigation steps focus on restricting access to the vulnerable components and preventing exploitation.

  • Restrict local access to the device to trusted users only, as exploitation requires local access.
  • If possible, modify the com.dgen.alarm app or its manifest to mark the BroadcastReceiver (com.dgen.alarm.receiver.AlarmReceiver) as non-exported or enforce signature-level permissions to prevent unauthorized access.
  • Implement or enforce caller validation checks (UID, package name, signature) on the AlarmReceiver to prevent unauthorized alarm triggering.
  • Prevent multiple concurrent MediaPlayer instances by adding lifecycle management to the alarm playback service.

If modification is not feasible, consider replacing the affected product as suggested, or isolating the device from untrusted local applications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3670. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart