{"id":"ASB-A-157929241","details":"In WindowManager, there is a possible tapjacking attack due to an incorrect window flag when processing user input. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-157929241","CVE-2021-39691"],"modified":"2026-05-19T16:54:37.272608834Z","published":"2022-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-06-01"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"severity":"High","spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","https://android.googlesource.com/platform/frameworks/base/+/be3d14b5fccc5bccf12f3ec8af9fd3e43af7477b","https://android.googlesource.com/platform/frameworks/base/+/c07d90ff207cef18e30cc35efb8a0b456b24ba01"],"types":["EoP"],"vanir_signatures":[{"deprecated":true,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"153347065348297576086272620388138362993","length":1156},"source":"https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","target":{"function":"updateInputChannel","file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-1c28704b"},{"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","match_only_versions":["12L-next"],"id":"ASB-A-157929241-2b8b83b5","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["58563466410381007163839025469922812273","338517104540503439045421012757645611643","93948896743369610819950804246628851451","177231549024239430334414517580665495405","246185078519528918125583660992247270145","203439133431149365179589401502637275269","111668051541835312223226028461026331966","108501984441557518335898098660511555749","71494980612380864952328452788358420277","122306817153474500633591346451668489","104235581513073197520511415572108749634"]},"target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}},{"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","match_only_versions":["12L-next"],"id":"ASB-A-157929241-4a182953","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["132773352337124080789729270131381563473","179417527530155487907533589035760519482","15472179494974277352996987447185250363","119859239874343967522998842610674205942"]},"target":{"file":"core/java/android/view/WindowManager.java"}},{"signature_type":"Line","deprecated":true,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["92301874802876879800300804264221710037","308187357358330776406713004441457116409","39320247196469553920384226277335287108","166579063859907712482131959292186976922","169229089062142088050317133364961188430","26157600409494317195784676518382068449","218700501737969333823614092372709505116","87396694166605159295035069780113691174","184624018484936216838273776084714878218"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-d7c0e089"},{"signature_type":"Function","deprecated":true,"signature_version":"v1","digest":{"function_hash":"310382824889737597461733662198232335870","length":1655},"source":"https://android.googlesource.com/platform/frameworks/base/+/5972dfb7154f1550869e9ae39f02d61be99cc1c2","target":{"function":"adjustWindowParamsLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"id":"ASB-A-157929241-fd576c99"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/packages/modules/Permission","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L-next:0"},{"fixed":"12L-next:2022-06-01"}]}],"versions":["12L-next"],"ecosystem_specific":{"severity":"High","spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/packages/modules/Permission/+/1047d4e44b6f2422a7aed2311b2695df1e8a5f66"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Permission/+/1047d4e44b6f2422a7aed2311b2695df1e8a5f66","match_only_versions":["12L-next"],"id":"ASB-A-157929241-4a5f182b","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["266451771207337882647398006016776335976","152778530814030248459216438437508528619","191200239085447040838302047096440730501","263270893609419413141107975357247074307","138312337730147805203224245303522183265","254843881453794660882541889006344539710","144138656155451294311315113459241442578","336647562501736590497452528575687260355","126674215813451262511316243988692177791","75100255801360539404353668777379487529","113050609607423334772924953711553593863","200806739722239618547435466965686920832","87751755987693354492872859136345651390","325502142519159076409320344952165530281"]},"target":{"file":"PermissionController/src/com/android/permissioncontroller/role/model/HomeRoleBehavior.java"}},{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Permission/+/1047d4e44b6f2422a7aed2311b2695df1e8a5f66","match_only_versions":["12L-next"],"id":"ASB-A-157929241-7fd13b71","signature_type":"Function","signature_version":"v1","digest":{"function_hash":"320654858666519986315252438776713473820","length":266},"target":{"function":"revoke","file":"PermissionController/src/com/android/permissioncontroller/role/model/HomeRoleBehavior.java"}},{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/modules/Permission/+/1047d4e44b6f2422a7aed2311b2695df1e8a5f66","match_only_versions":["12L-next"],"id":"ASB-A-157929241-ce8d6d51","signature_type":"Function","signature_version":"v1","digest":{"function_hash":"291770406326217863011581347223935487901","length":281},"target":{"function":"grant","file":"PermissionController/src/com/android/permissioncontroller/role/model/HomeRoleBehavior.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-06-01"}]}],"versions":["10"],"ecosystem_specific":{"severity":"High","spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/frameworks/native/+/6e689ffe3fad4b190629e11222936fb7cda041c2"],"types":["EoP"],"vanir_signatures":[{"signature_type":"Line","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["83909744248771613920413884159268329451","335391426496715306198237935573687915228","86495769725788159622907656757257426039","293818353683518844837345193421986437986"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/6e689ffe3fad4b190629e11222936fb7cda041c2","target":{"file":"services/inputflinger/InputDispatcher.cpp"},"id":"ASB-A-157929241-49670bc0"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","digest":{"function_hash":"38131015991642964551032929699778201765","length":10745},"source":"https://android.googlesource.com/platform/frameworks/native/+/6e689ffe3fad4b190629e11222936fb7cda041c2","target":{"function":"InputDispatcher::findTouchedWindowTargetsLocked","file":"services/inputflinger/InputDispatcher.cpp"},"id":"ASB-A-157929241-7c973019"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-06-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_type":"Function","deprecated":false,"signature_version":"v1","digest":{"function_hash":"197668447375550088595462888993817787185","length":1109},"source":"https://android.googlesource.com/platform/frameworks/base/+/07e7aaff2957c103d1bcd51e6e9b1dbde29d87bd","target":{"function":"updateInputChannel","file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-35896653"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["58563466410381007163839025469922812273","255014915607238014811773278084584934218","325261277324665359666070124287546849498","146030089459388533325907162142839649016","220407582334627480893692131705077190638","233504428198100536970004212144302098617","330213027135848150965598926120822425914","181967708584856178536859204051798905755","236732265184660035366467935863000898408","209247006156520135414919465455632668230","189885709426762610526399389761134554638"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/07e7aaff2957c103d1bcd51e6e9b1dbde29d87bd","target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"id":"ASB-A-157929241-a0d4fcc7"},{"signature_type":"Function","deprecated":false,"signature_version":"v1","digest":{"function_hash":"248878794927647396918728413038369413928","length":1802},"source":"https://android.googlesource.com/platform/frameworks/base/+/07e7aaff2957c103d1bcd51e6e9b1dbde29d87bd","target":{"function":"adjustWindowParamsLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"id":"ASB-A-157929241-bc5ef53e"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["92301874802876879800300804264221710037","308187357358330776406713004441457116409","182739585670183033533835615909287447078","102682510814621086436227533852805382379","169229089062142088050317133364961188430","184587690390739275324101434936887629646","320061984503952522122792851423918277822","65023361680101847600272844512532549191","105267496751941668265139726099238228864"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/07e7aaff2957c103d1bcd51e6e9b1dbde29d87bd","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-e9377f1e"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/cccf19150f5247e101417b2a4f3748813dd7058a","https://android.googlesource.com/platform/frameworks/base/+/07e7aaff2957c103d1bcd51e6e9b1dbde29d87bd"],"types":["EoP"],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-06-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","spl":"2022-06-01","fixes":["https://android.googlesource.com/platform/frameworks/native/+/d8c6ef21387db53930d728272db24cca1cd38a38"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"215636001148364275985609935948235791065","length":10129},"source":"https://android.googlesource.com/platform/frameworks/native/+/d8c6ef21387db53930d728272db24cca1cd38a38","target":{"function":"InputDispatcher::findTouchedWindowTargetsLocked","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"id":"ASB-A-157929241-4f1fd6b4"},{"signature_type":"Line","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["36433552115218054786902081124042964491","226265167843788491288372118080704167450","209636117168920513288341662403767138008","65687755485929980392874111508506376415","306565193006909403514893976416407103269","259713964474171092967478440709050230339","123484333842159570417926662401010982595","307981482380070645554113985829441548232","100212652561836398012235130829636329800","223711419946894428175548437529077494754","247458752750817065692470830956316951571","65817281378580326768413349376608026049","268701751384246200401416673509427613450","260971592204745346326751675173539925769","312272564107966075389926792717265412125","276215940763734963832935816132512460195","306428279729043984174430439479866002516","114100168480311555784374730083011199038","224995580949486283473150533595575623485","265351960590956049312339660365232165547","24941738909571444383547519965100214182","211954732138150034112794507198208623742","303388869290428316526809736129200976507","159474328291417832713586623784209029769","53628338712192879342016225602707224708","293233257795421214057609807056910417467","108948354208461301316431328436865284798","1734208229481855244992657578123494851","96102250999902366698094728955482770418","157175383648756382238433842150119119840","36266979984612402831721406537264955787","148148580787783516570932623088827067179","291723163122799413539113935667519052746","308162668308713627069684425564071717225","53217213559927991142484365357935030755","1791464953375586125928176045316849998","282921658683096667748493456334806819355","312773524760692924424430917848009961772","304976700318746421053317005864551228032","246784223549066423306670199285314582723","12621730114058747022572830953367593855","109252984800301244323467394189332436309","46511506494366872305085347855843750693","112240479928188113292016573675727993975","52584879914020249408058118909020230842","231422006436629142105564878236459544711","228179379994455177847860042164607883137","118705031317865277456868412945070664838","77382627745860018988220035392272041975","171414956221169328456402610259857946283","279052160528129846401974635117666125350","338288589630154455502673100746858191122","149367147009822366523032771291970906715","175345549866751718947009255255275783965","16923081076592113365771857438430485894","1534496977082253815708251733778775394","23138798177941889622581531269640847150","339690294565987564406610789693871200162","116856882838280124593601445516585628277","247637379850569469554920242517981553490","107593982086668635088591656471236416080","122700687465832862159632230054272631445","98490742268758753427214417132759870508","49000308518733536814153782138435593556","288733728639490588127731704548252695454","250093657940131817149669272722830875728","294643193563371442249231836845029995621","179964390936937239374884581972225167751","111018730050456373884890985755289783241","276657416824164545994389515851385896100","59322017155780592732862519351248800287","304762744242750080355443786147797787583","220834820612530753522479356329029726918","288414692805888670123974264343554129337","63946277692908467375252829917379239519","193442952299023664176020372792463580577","293419759334788718725942788580988017467","278138186226346455345739470875763766119","49000308518733536814153782138435593556","288733728639490588127731704548252695454","250093657940131817149669272722830875728","117928972398266727520388533784262540553","100256021791620531408389343517357573379","12647698101921816636076972456839360548","79143702972210598445804541019004890920","203744316345729480691697534364365180534","225344600784906254960091674795429343896","198666522799091572520806652975454154740","309065074346907304282135570120685532193","330629577908953757055483646607947072192","159929122916348750361056132499973388166","313077679539295066591267071684184496108","94972231511960847344695119757317673998","2477864222702786428222477966989409133","293779743502996615600813400937409309439","174666759410129186372414291302124436510","13194377183608856915611859349817536135","272367616158397520875256853821540608248","337429055164513351312913278624541435674","57291438505738624969007918877709879648","288414692805888670123974264343554129337","63946277692908467375252829917379239519","118060208514341573061393190008698364834","30223735416047499573081953771253899510","70063520239448795409027101000470090298","167204942008229774819445938792603634326","252691037926632000581705182235656966437","122035009903186425841369657186426626559","55136293333954101199964925685454728763","146021885569089889719351414953246325021","169064195563548074509423288643640995892","931877712778748409032958339905918934","43360324979847079574544163327983642699","332458033984303704346188191667028131077","80904664918016483245946686029990997693","216763008521377743556489064809793374418","241485211116944755020250404898875749350","175409561699926778970322065654484866801","95277863392071150744016386425864271232","83728669001903070018471478524571497538","286327942251877439997328087175551601530","178269353529024223451845291172931656052","44717166743142873728277567397460672728","327821488011128638740447237532190229028","207516111348670465218511009071970592706","259571452692422641998243293892066825336","121656567188322622405087834466806720704","39248775899445715773548042964763159947","192979772885138259542476536110679638970","272367616158397520875256853821540608248","337429055164513351312913278624541435674","57291438505738624969007918877709879648","288414692805888670123974264343554129337","63946277692908467375252829917379239519","312213937316076172223697612946481974553","30816310338036383380363370807465072907","195417206718680953245805842393938978663","96411094820964434713377530611186316918","312638836338038428527424990318087557590","13530854507313691336713653884557585256","323823963496233932003629902250030443271","163680259203646151396194258233490236281","175751806345399167738373871535380472120","29037944336782005135844551149382726533","4349758314777059337690299462791706820","304474242662978061010814453391378886741","194866865281851956611460800017090975573","98930382168000327033903736933177742211"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/d8c6ef21387db53930d728272db24cca1cd38a38","target":{"file":"services/inputflinger/tests/InputDispatcher_test.cpp"},"id":"ASB-A-157929241-ca66a961"},{"deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["83909744248771613920413884159268329451","335391426496715306198237935573687915228","86495769725788159622907656757257426039","293818353683518844837345193421986437986"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/d8c6ef21387db53930d728272db24cca1cd38a38","target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"id":"ASB-A-157929241-d7344250"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/packages/apps/Launcher3","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-06-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_type":"Line","deprecated":false,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["134819474328631603133796443972903733249","116386229792983575971439173336521864434","222511512100632230220672610381687033907","141877110356176432928266703449198614541","292214246491949075433752302704043572019","58811336993626638747551271804007064937","124428300855035937701697717779619540907","295477055928185487913505443853192118220","208623441473700920776895212394057174017","17696138799203616311625709599097332255","6330940361076397813707350478503492685"]},"source":"https://android.googlesource.com/platform/packages/apps/Launcher3/+/918776ee51c60a1156600bbbcf5da986ef882a91","target":{"file":"quickstep/src/com/android/launcher3/uioverrides/touchcontrollers/StatusBarTouchController.java"},"id":"ASB-A-157929241-bf0a7e57"}],"fixes":["https://android.googlesource.com/platform/packages/apps/Launcher3/+/918776ee51c60a1156600bbbcf5da986ef882a91"],"types":["EoP"],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-06-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_type":"Function","deprecated":true,"signature_version":"v1","digest":{"function_hash":"310382824889737597461733662198232335870","length":1655},"source":"https://android.googlesource.com/platform/frameworks/base/+/0657e199403da352ffc765a72913458809658114","target":{"function":"adjustWindowParamsLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"id":"ASB-A-157929241-390b83ff"},{"deprecated":true,"source":"https://android.googlesource.com/platform/frameworks/base/+/0657e199403da352ffc765a72913458809658114","match_only_versions":["12"],"id":"ASB-A-157929241-58b666ef","signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["58563466410381007163839025469922812273","338517104540503439045421012757645611643","93948896743369610819950804246628851451","177231549024239430334414517580665495405","246185078519528918125583660992247270145","203439133431149365179589401502637275269","111668051541835312223226028461026331966","108501984441557518335898098660511555749","71494980612380864952328452788358420277","122306817153474500633591346451668489","104235581513073197520511415572108749634"]},"target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}},{"deprecated":true,"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"153347065348297576086272620388138362993","length":1156},"source":"https://android.googlesource.com/platform/frameworks/base/+/0657e199403da352ffc765a72913458809658114","target":{"function":"updateInputChannel","file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-6a4d2f27"},{"signature_type":"Line","deprecated":true,"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["92301874802876879800300804264221710037","308187357358330776406713004441457116409","39320247196469553920384226277335287108","166579063859907712482131959292186976922","169229089062142088050317133364961188430","26157600409494317195784676518382068449","218700501737969333823614092372709505116","87396694166605159295035069780113691174","184624018484936216838273776084714878218"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/0657e199403da352ffc765a72913458809658114","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"id":"ASB-A-157929241-c80781de"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/d732692ba764857225760274c63cba8e758f08e6","https://android.googlesource.com/platform/frameworks/base/+/0657e199403da352ffc765a72913458809658114"],"types":["EoP"],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}},{"package":{"name":"platform/packages/apps/Launcher3","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-06-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["42474112996094868378602810021259273740","90607248317882658960797275242671718857","252142154370890899054524848034613824890","316966423541302657758442697925677830105","292214246491949075433752302704043572019","58811336993626638747551271804007064937","124428300855035937701697717779619540907","295477055928185487913505443853192118220","208623441473700920776895212394057174017","17696138799203616311625709599097332255","6330940361076397813707350478503492685"]},"source":"https://android.googlesource.com/platform/packages/apps/Launcher3/+/81ff81227e26d08779f176ed40fc2bed1cb9a912","target":{"file":"quickstep/src/com/android/launcher3/uioverrides/touchcontrollers/StatusBarTouchController.java"},"id":"ASB-A-157929241-0434e004"}],"fixes":["https://android.googlesource.com/platform/packages/apps/Launcher3/+/81ff81227e26d08779f176ed40fc2bed1cb9a912"],"types":["EoP"],"spl":"2022-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-157929241.json"}}],"schema_version":"1.7.5"}