{"id":"ASB-A-213644870","details":"In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.","aliases":["A-213644870","CVE-2022-20226"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2022-07-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-07-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-07-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208"],"spl":"2022-07-01","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-213644870-040d226c","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["10283689925970767745039467515145839613","262447069286773819783877630469413526772","42710371276610711414791601201715173153","166183720595856650804928134883908547633","30102194167949942252975857073123632582","123398118123314661349505762760018517105","204405425560196390556035502911962567381"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208","signature_type":"Line","target":{"file":"core/jni/android_view_SurfaceControl.cpp"}},{"signature_version":"v1","id":"ASB-A-213644870-2c31844f","source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208","digest":{"threshold":0.9,"line_hashes":["109308593953997389863375467451930133254","94699768790438915482765790682681872288","110023916072507408757555310022252388335","215111910697632882604036026239049292193"]},"signature_type":"Line","deprecated":false,"target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}},{"signature_version":"v1","id":"ASB-A-213644870-30b72434","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["38968290403228463353837298513432406102","304528173058242274849033339504350305354","101157398416841870061643836720504773637","113105747347854439447263763515229602544","291314025743564295420860371659408652795","314047888469450165801136092425354257071","189991891994099775720685819681100013572"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208","signature_type":"Line","target":{"file":"core/java/android/view/SurfaceControl.java"}},{"signature_version":"v1","id":"ASB-A-213644870-712e9848","deprecated":false,"digest":{"function_hash":"83958915429775838570512321188110188733","length":639},"source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java","function":"finishDrawingWindow"}}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213644870.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-07-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b"],"spl":"2022-07-01","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-213644870-74f915ea","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["158316474625177380927379967336735792071","210021420014394732488362221031205883846","331030268047125451190618899420805559668"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b","signature_type":"Line","target":{"file":"libs/gui/LayerState.cpp"}},{"signature_version":"v1","id":"ASB-A-213644870-d16defad","source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b","digest":{"threshold":0.9,"line_hashes":["332381021113198560895429062369073948349","44331992766085121825441615548065094219","88217928992512580016909342481436155673","160599368510002579484529369188586086302"]},"signature_type":"Line","deprecated":false,"target":{"file":"libs/gui/include/gui/SurfaceComposerClient.h"}},{"signature_version":"v1","id":"ASB-A-213644870-e9482da3","source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b","digest":{"threshold":0.9,"line_hashes":["205641342065023842371091921530500723954","278129404744689785468040558095339977043","168828413441837664234458638552152734678","12733264191246206875023833473909259006","321795751002210282708716128041769480703","91632105569992995968658733557942439857","79537943416717662722743741558961208950","157395701064132088622923284380667498154"]},"signature_type":"Line","deprecated":false,"target":{"file":"libs/gui/include/gui/LayerState.h"}},{"signature_version":"v1","id":"ASB-A-213644870-eceff298","source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b","digest":{"threshold":0.9,"line_hashes":["17440762063016278011988741857659065229","106802602803923500112653028896911190638","335430823114812336836988704439893870037","103400400102260454088510578413313457032","310169275428447047405242217820035451","240320211232283025739686553089665140019"]},"signature_type":"Line","deprecated":false,"target":{"file":"libs/gui/SurfaceComposerClient.cpp"}}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213644870.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905"],"spl":"2022-07-01","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-213644870-2d1f9dbf","signature_type":"Function","digest":{"function_hash":"83958915429775838570512321188110188733","length":639},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java","function":"finishDrawingWindow"}},{"signature_version":"v1","id":"ASB-A-213644870-3ba944f6","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["109308593953997389863375467451930133254","94699768790438915482765790682681872288","110023916072507408757555310022252388335","215111910697632882604036026239049292193"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}},{"signature_version":"v1","id":"ASB-A-213644870-480a01eb","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["206710912623225518822118118418562316887","308209011028749043628053711427160371938","12209304743745958707138099709119970222","292317412448276784155305856665001322196","291314025743564295420860371659408652795","314047888469450165801136092425354257071","189991891994099775720685819681100013572"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905","target":{"file":"core/java/android/view/SurfaceControl.java"}},{"signature_version":"v1","id":"ASB-A-213644870-a62fa883","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["10283689925970767745039467515145839613","262447069286773819783877630469413526772","42710371276610711414791601201715173153","149154735167034948074364255221988351201","291211340028722230894985854103626517125","117274481847790116195683706567649776575","214026053996811510671851429925048764"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905","signature_type":"Line","target":{"file":"core/jni/android_view_SurfaceControl.cpp"}}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213644870.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-07-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67"],"spl":"2022-07-01","vanir_signatures":[{"signature_version":"v1","id":"ASB-A-213644870-20040708","source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67","digest":{"threshold":0.9,"line_hashes":["332381021113198560895429062369073948349","44331992766085121825441615548065094219","88217928992512580016909342481436155673","160599368510002579484529369188586086302"]},"signature_type":"Line","deprecated":false,"target":{"file":"libs/gui/include/gui/SurfaceComposerClient.h"}},{"signature_version":"v1","id":"ASB-A-213644870-3e24d18f","source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67","digest":{"threshold":0.9,"line_hashes":["158316474625177380927379967336735792071","210021420014394732488362221031205883846","331030268047125451190618899420805559668"]},"signature_type":"Line","deprecated":false,"target":{"file":"libs/gui/LayerState.cpp"}},{"signature_version":"v1","id":"ASB-A-213644870-4c807467","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["205641342065023842371091921530500723954","278129404744689785468040558095339977043","168828413441837664234458638552152734678","12733264191246206875023833473909259006","321795751002210282708716128041769480703","91632105569992995968658733557942439857","79537943416717662722743741558961208950","157395701064132088622923284380667498154"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67","signature_type":"Line","target":{"file":"libs/gui/include/gui/LayerState.h"}},{"signature_version":"v1","id":"ASB-A-213644870-575bf847","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["17440762063016278011988741857659065229","106802602803923500112653028896911190638","335430823114812336836988704439893870037","103400400102260454088510578413313457032","310169275428447047405242217820035451","240320211232283025739686553089665140019"]},"source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67","signature_type":"Line","target":{"file":"libs/gui/SurfaceComposerClient.cpp"}}],"severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-213644870.json"}}],"schema_version":"1.7.5"}