{"id":"ASB-A-232541124","details":"In stealReceiveChannel of EventThread.cpp, there is a possible way to interfere with process communication due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-232541124","CVE-2022-20344"],"modified":"2026-04-17T15:55:28.020024Z","published":"2022-08-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-08-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/a49c413aee3f89aa68963f67fb144355608e12c6"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/899e8cd0749cb3f43bef0bdb28002edab42bbb1b"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-08-01"}]}],"versions":["10"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["127469846548409983470268128607023459878","203863174457145462361197438585032144196","74364492603176318313944470921850953713","38035154383168608973232091071577427631"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/0840cdd08f39994e3f8c58eb65f24a8db1dc1173","target":{"file":"services/surfaceflinger/Scheduler/EventThread.h"},"signature_type":"Line","id":"ASB-A-232541124-9b3d0f0f","signature_version":"v1"},{"digest":{"function_hash":"120725164979726759199208347309898018967","length":147},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/0840cdd08f39994e3f8c58eb65f24a8db1dc1173","target":{"function":"EventThreadConnection::stealReceiveChannel","file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Function","id":"ASB-A-232541124-de95b6ee","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["221907669032479801584207109915539829466","138596314038625758329930666925880852430","205864945925658577086876635294506456286","111019090128844940958139250973217588210"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/0840cdd08f39994e3f8c58eb65f24a8db1dc1173","target":{"file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Line","id":"ASB-A-232541124-e9128e7a","signature_version":"v1"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/0840cdd08f39994e3f8c58eb65f24a8db1dc1173"],"types":["EoP"],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232541124.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-08-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["221907669032479801584207109915539829466","138596314038625758329930666925880852430","205864945925658577086876635294506456286","111019090128844940958139250973217588210"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/a820057ae00dba322b10d47b3711b04519324690","target":{"file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Line","id":"ASB-A-232541124-0b3e1ae8","signature_version":"v1"},{"digest":{"function_hash":"120725164979726759199208347309898018967","length":147},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/a820057ae00dba322b10d47b3711b04519324690","target":{"function":"EventThreadConnection::stealReceiveChannel","file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Function","id":"ASB-A-232541124-5ccaab1b","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["127469846548409983470268128607023459878","203863174457145462361197438585032144196","74364492603176318313944470921850953713","38035154383168608973232091071577427631"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/a820057ae00dba322b10d47b3711b04519324690","target":{"file":"services/surfaceflinger/Scheduler/EventThread.h"},"signature_type":"Line","id":"ASB-A-232541124-97a46e1e","signature_version":"v1"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/a820057ae00dba322b10d47b3711b04519324690"],"types":["EoP"],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232541124.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-08-01"}]}],"versions":["12"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"103285955403123022205109012819107315947","length":232},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/29e34cfcf95c6de1f2cbfe2bf588e4e354dbabe0","target":{"function":"EventThreadConnection::stealReceiveChannel","file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Function","id":"ASB-A-232541124-2600328f","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["127469846548409983470268128607023459878","188398773197276973434461446177019563054","19997007814924338987186876491082489832","204955967200086192988718999219434011228"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/29e34cfcf95c6de1f2cbfe2bf588e4e354dbabe0","target":{"file":"services/surfaceflinger/Scheduler/EventThread.h"},"signature_type":"Line","id":"ASB-A-232541124-55167f91","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["221907669032479801584207109915539829466","138596314038625758329930666925880852430","186654799477268374922345054802916573947","196432090748956429713506356090416189275"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/29e34cfcf95c6de1f2cbfe2bf588e4e354dbabe0","target":{"file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Line","id":"ASB-A-232541124-79abf23a","signature_version":"v1"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/29e34cfcf95c6de1f2cbfe2bf588e4e354dbabe0"],"types":["EoP"],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232541124.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-08-01"}]}],"versions":["12L"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["127469846548409983470268128607023459878","188398773197276973434461446177019563054","19997007814924338987186876491082489832","204955967200086192988718999219434011228"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/97a317064a76b8fc3a65bd980027f820fd4d53ae","target":{"file":"services/surfaceflinger/Scheduler/EventThread.h"},"signature_type":"Line","id":"ASB-A-232541124-038a302b","signature_version":"v1"},{"digest":{"function_hash":"103285955403123022205109012819107315947","length":232},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/97a317064a76b8fc3a65bd980027f820fd4d53ae","target":{"function":"EventThreadConnection::stealReceiveChannel","file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Function","id":"ASB-A-232541124-cf660c59","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["221907669032479801584207109915539829466","138596314038625758329930666925880852430","186654799477268374922345054802916573947","196432090748956429713506356090416189275"]},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/97a317064a76b8fc3a65bd980027f820fd4d53ae","target":{"file":"services/surfaceflinger/Scheduler/EventThread.cpp"},"signature_type":"Line","id":"ASB-A-232541124-e47ce203","signature_version":"v1"}],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/97a317064a76b8fc3a65bd980027f820fd4d53ae"],"types":["EoP"],"spl":"2022-08-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-232541124.json"}}],"schema_version":"1.7.5"}