{"id":"ASB-A-199754277","details":"In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-199754277","CVE-2021-0963"],"modified":"2026-07-02T16:52:13.655137360Z","published":"2021-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2021-12-01"}],"affected":[{"package":{"name":"platform/packages/apps/KeyChain","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"9:0"},{"fixed":"9:2021-12-01"}]}],"versions":["9"],"ecosystem_specific":{"spl":"2021-12-01","types":["EoP"],"severity":"High","vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a","signature_type":"Function","target":{"function":"onCreate","file":"src/com/android/keychain/KeyChainActivity.java"},"signature_version":"v1","digest":{"length":229,"function_hash":"150779138925376225849993218317483860163"},"id":"ASB-A-199754277-01442b80"},{"id":"ASB-A-199754277-2f71314e","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["303597175863065157596178365770904233588","48256645860803694307132140820223977274","217809699249745623648040710182897893395","125037849551146727792591082922861769984","326674869829824742598621061880651146141","74405704416687296925880408315642770338","153275313607274137358411093416341818351"],"threshold":0.9},"deprecated":false},{"deprecated":false,"target":{"function":"displayCertChooserDialog","file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6","signature_type":"Function","signature_version":"v1","digest":{"length":3204,"function_hash":"136996276653729503400298582803212933472"},"id":"ASB-A-199754277-38371cc6"},{"id":"ASB-A-199754277-f933ea8f","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["135855190934219119756034388740564437399","235540904095868242127131780153901629847","259238752188879198495785490080792033447","142819830997902240228446618298227373261"],"threshold":0.9},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/apps/KeyChain/+/cdca35442c767d64f6d0db4af438a3856263857a","https://android.googlesource.com/platform/packages/apps/KeyChain/+/42d5b5ec58893e5f7f7d3bcc4a1e069aab3481b6"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-199754277.json"}},{"package":{"name":"platform/packages/apps/KeyChain","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2021-12-01"}]}],"versions":["10"],"ecosystem_specific":{"spl":"2021-12-01","types":["EoP"],"severity":"High","vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/7771b58966715ef430f5cb6d81344192ab6d258f","signature_type":"Line","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"signature_version":"v1","digest":{"line_hashes":["303597175863065157596178365770904233588","48256645860803694307132140820223977274","217809699249745623648040710182897893395","149797091561683545734968523231355275794","59096776248267728189978126642021086297","223171761866261416097529983750924596398"],"threshold":0.9},"id":"ASB-A-199754277-0f35481e"},{"deprecated":false,"target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["135855190934219119756034388740564437399","235540904095868242127131780153901629847","259238752188879198495785490080792033447","142819830997902240228446618298227373261"],"threshold":0.9},"id":"ASB-A-199754277-a0ed1fb2"},{"id":"ASB-A-199754277-c5fb9d5c","target":{"function":"displayCertChooserDialog","file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf","signature_type":"Function","signature_version":"v1","digest":{"length":2980,"function_hash":"73505772937041119365331112705127743616"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/apps/KeyChain/+/7771b58966715ef430f5cb6d81344192ab6d258f","https://android.googlesource.com/platform/packages/apps/KeyChain/+/2b7ea9710d2069f9768cc3c2350df74b60f9ecbf"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-199754277.json"}},{"package":{"name":"platform/packages/apps/KeyChain","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2021-12-01"}]}],"versions":["11"],"ecosystem_specific":{"spl":"2021-12-01","types":["EoP"],"severity":"High","vanir_signatures":[{"id":"ASB-A-199754277-1019e4a8","target":{"function":"displayCertChooserDialog","file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b","signature_type":"Function","signature_version":"v1","digest":{"length":3011,"function_hash":"203824814824031038019991900579206230944"},"deprecated":false},{"deprecated":false,"target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b","signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["135855190934219119756034388740564437399","235540904095868242127131780153901629847","259238752188879198495785490080792033447","142819830997902240228446618298227373261"],"threshold":0.9},"id":"ASB-A-199754277-1024affc"},{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/3de513868e45f022fce83d738032fc69b8c6b0f5","signature_type":"Line","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"signature_version":"v1","digest":{"line_hashes":["128691875263131775220820109058442280430","168206557357049122735330899459189004701","41045489127893675357598209381160343343","59364463441045711836603236181276549075","273197236036770507062995719670167860476","48256645860803694307132140820223977274","219824241320010701138802366041289464563","24326035824782186584841896781093620413","180873309683049572042491718958890115237","244121184130991112938393343813406232222"],"threshold":0.9},"id":"ASB-A-199754277-184c19c6"}],"fixes":["https://android.googlesource.com/platform/packages/apps/KeyChain/+/3de513868e45f022fce83d738032fc69b8c6b0f5","https://android.googlesource.com/platform/packages/apps/KeyChain/+/90c6182ef5933ec69383115e2703a177a0c5929b"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-199754277.json"}},{"package":{"name":"platform/packages/apps/KeyChain","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2021-12-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2021-12-01","types":["EoP"],"severity":"High","vanir_signatures":[{"deprecated":false,"signature_version":"v1","signature_type":"Line","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb","digest":{"line_hashes":["208145163328167472748897027555711714882","30674088855709114898709890290627615336","254801975279325279560290300634665894950","196498049348011577982911759103546494316","56162162265642485860413942937486547499","100392728771381320547015046049976835169","106258610578275625944997385992487392222"],"threshold":0.9},"id":"ASB-A-199754277-231b5806"},{"deprecated":false,"signature_version":"v1","signature_type":"Function","target":{"function":"displayCertChooserDialog","file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661","digest":{"length":2776,"function_hash":"118549816647082231951580483889162385421"},"id":"ASB-A-199754277-b9e6c704"},{"deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661","signature_type":"Line","target":{"file":"src/com/android/keychain/KeyChainActivity.java"},"signature_version":"v1","digest":{"line_hashes":["135855190934219119756034388740564437399","235540904095868242127131780153901629847","259238752188879198495785490080792033447","111842385937988146741835959770460073843"],"threshold":0.9},"id":"ASB-A-199754277-c2ca4d46"},{"id":"ASB-A-199754277-dca04a64","target":{"function":"onCreate","file":"src/com/android/keychain/KeyChainActivity.java"},"source":"https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb","signature_type":"Function","signature_version":"v1","digest":{"length":109,"function_hash":"71065350424441331116573748980346557509"},"deprecated":false}],"fixes":["https://android.googlesource.com/platform/packages/apps/KeyChain/+/d2c543f9670ce4c6abc27fdc47d730b0c532d9fb","https://android.googlesource.com/platform/packages/apps/KeyChain/+/0b90da9e52f53d089d34a895256f048729b36661"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-199754277.json"}}],"schema_version":"1.7.5"}