{"id":"ASB-A-209965481","details":"In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-209965481","CVE-2021-39704"],"modified":"2026-05-29T15:55:33.750044621Z","published":"2022-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/b925955552885a049fcbff978415612dad3e447d"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-03-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a"],"severity":"High","spl":"2022-03-01","vanir_signatures":[{"signature_version":"v1","deprecated":false,"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java","function":"deleteNotificationChannelGroup"},"signature_type":"Function","digest":{"length":938,"function_hash":"290951079311518025289317428185156220612"},"id":"ASB-A-209965481-89535daa","source":"https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a"},{"digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-209965481-968f1c8d","source":"https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-03-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-209965481-08082901","source":"https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76"},{"signature_version":"v1","digest":{"length":939,"function_hash":"50702968381490164283789956219436653491"},"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java","function":"deleteNotificationChannelGroup"},"signature_type":"Function","deprecated":false,"id":"ASB-A-209965481-78b3483d","source":"https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76"],"spl":"2022-03-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-03-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86"],"spl":"2022-03-01","vanir_signatures":[{"signature_version":"v1","digest":{"length":939,"function_hash":"50702968381490164283789956219436653491"},"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java","function":"deleteNotificationChannelGroup"},"signature_type":"Function","deprecated":false,"id":"ASB-A-209965481-513a7a6f","source":"https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86"},{"digest":{"line_hashes":["173889726864008581084648463149435370300","262354977986027050444883349883546099729","116899640845663794669050955193302776547","28379216899964308584113511307080112261","205349936232972022306123209987308556028","45791029998817299130183393007229542476","33911891339796287344364179616506003964","56300563857206841818173955179521150177"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"signature_type":"Line","signature_version":"v1","id":"ASB-A-209965481-fbbaa0ab","source":"https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-209965481.json"}}],"schema_version":"1.7.5"}