{"id":"ASB-A-209965481","details":"In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-209965481","CVE-2021-39704"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/b925955552885a049fcbff978415612dad3e447d"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-03-01"}]}],"versions":["11"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a","target":{"function":"deleteNotificationChannelGroup","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_version":"v1","digest":{"function_hash":"290951079311518025289317428185156220612","length":938},"signature_type":"Function","deprecated":false,"id":"ASB-A-209965481-89535daa"},{"id":"ASB-A-209965481-968f1c8d","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_version":"v1","digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"signature_type":"Line","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a"}],"types":["EoP"],"spl":"2022-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-03-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76"],"vanir_signatures":[{"id":"ASB-A-209965481-08082901","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76","digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"signature_type":"Line","deprecated":false,"signature_version":"v1"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76","target":{"function":"deleteNotificationChannelGroup","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_version":"v1","id":"ASB-A-209965481-78b3483d","signature_type":"Function","deprecated":false,"digest":{"function_hash":"50702968381490164283789956219436653491","length":939}}],"types":["EoP"],"spl":"2022-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-03-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86"],"vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86","target":{"function":"deleteNotificationChannelGroup","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_version":"v1","id":"ASB-A-209965481-513a7a6f","signature_type":"Function","deprecated":false,"digest":{"function_hash":"50702968381490164283789956219436653491","length":939}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_version":"v1","digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"ASB-A-209965481-fbbaa0ab"}],"types":["EoP"],"spl":"2022-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}}],"schema_version":"1.7.5"}