<--

OnePlus 3/3T OxygenOS dm-verity Security Bypass

Aleph Research Advisory

Identifier

Severity

Moderate

Products

  1. OnePlus 3T
  2. OnePlus 3

Vulnerable Version

OxygenOS prior to 4.0.3

Technical Details

The attacker can persistently make the (locked) bootloader start the platform with dm-verity disabled, by issuing the fastboot oem disable_dm_verity command. Having dm-verity disabled, the kernel will not verify the system partition (and any other dm-verity protected partition), which may allow for persistent code execution and privilege escalation.

Timeline

Posts

Credit

External References