{"id":"ASB-A-215003903","details":"In shouldAllowFgsWhileInUsePermissionLocked of ActiveServices.java, there is a possible way to start foreground service from background due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-215003903","CVE-2022-20356"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/05cd832c241a543feb3a833e75b56c6f253b05e9"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/7fa1b4d0657c1fcf88a1588863e16e4e468201a1"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-08-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/023509e4871c0dafb842dc812bfa62e8d59cbfae"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["141936494101994435910609408495157456321","254285161234220043694179047609840989917","294217032209153822903983582602723288062","114669496521924656086088538563371127692","28024616308006341106976744842847987427","132599590917118019040485781019659441855","122949261054482915679161995712476699604","2141210285318930533601221656012838095","50021513281883459740062358831646004931"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/023509e4871c0dafb842dc812bfa62e8d59cbfae","id":"ASB-A-215003903-89bf26fd","deprecated":false},{"signature_version":"v1","digest":{"length":1246,"function_hash":"147316198261685096379061978137664119284"},"signature_type":"Function","target":{"function":"shouldAllowWhileInUsePermissionInFgsLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/023509e4871c0dafb842dc812bfa62e8d59cbfae","id":"ASB-A-215003903-b2c1d615","deprecated":false}],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-215003903.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-08-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eef20391ce4d15d4508dc295cb338954a7c69de7"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":1886,"function_hash":"10144134792327162878797898150830193414"},"signature_type":"Function","target":{"function":"shouldAllowFgsWhileInUsePermissionLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/eef20391ce4d15d4508dc295cb338954a7c69de7","id":"ASB-A-215003903-200ce707","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["299260667654334594643410106607925375679","272466948077187693167245472331509964857","129575487162808911263554416528590020154","334165868034975187755725054720244119975","160611083855957589510357465509023293701","134808848653476560137711870956353618342","44906403825218549378530239113478347453","105820695026477628508134818188457768511","32352918875873988651242560550162227561"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/eef20391ce4d15d4508dc295cb338954a7c69de7","id":"ASB-A-215003903-98f1d2ad","deprecated":false}],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-215003903.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-08-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/b21cc11dd74ceb2da100bd243c33392d4dc2cb7d"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["299260667654334594643410106607925375679","272466948077187693167245472331509964857","129575487162808911263554416528590020154","334165868034975187755725054720244119975","160611083855957589510357465509023293701","134808848653476560137711870956353618342","44906403825218549378530239113478347453","105820695026477628508134818188457768511","32352918875873988651242560550162227561"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/b21cc11dd74ceb2da100bd243c33392d4dc2cb7d","id":"ASB-A-215003903-26bf66ff","deprecated":false},{"signature_version":"v1","digest":{"length":1886,"function_hash":"10144134792327162878797898150830193414"},"signature_type":"Function","target":{"function":"shouldAllowFgsWhileInUsePermissionLocked","file":"services/core/java/com/android/server/am/ActiveServices.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/b21cc11dd74ceb2da100bd243c33392d4dc2cb7d","id":"ASB-A-215003903-71d4f31a","deprecated":false}],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-215003903.json"}}],"schema_version":"1.7.5"}