{"id":"ASB-A-237540408","details":"In buzzBeepBlinkLocked of NotificationManagerService.java, there is a possible way to share data across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-237540408","CVE-2022-20448"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/7b9ea7a75ed2de51e883f450b701c8d0d82e6e9c"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-11-01"}]}],"versions":["10"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/18f2ec86d680bff26ce9248061878894ad16e05f"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":2823,"function_hash":"198204764386842363082619558940037718463"},"signature_type":"Function","target":{"function":"buzzBeepBlinkLocked","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/18f2ec86d680bff26ce9248061878894ad16e05f","id":"ASB-A-237540408-27543f3e","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["298405840175992693065336118205416902503","64634700976450262439933333199223582711","10580285920849808251762143147315374736","323739062134790674112277294049884128165"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/18f2ec86d680bff26ce9248061878894ad16e05f","id":"ASB-A-237540408-8253a77c","deprecated":false}],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-237540408.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-11-01"}]}],"versions":["11"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":3197,"function_hash":"246213615877169029966090081243936282525"},"signature_type":"Function","target":{"function":"buzzBeepBlinkLocked","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-47554d02","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323724515043905430543994376006462360177","115894979338096264011054995498352607437","1470757861002783157935506182797325807","314131693363967520025389527100311765605"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-e93623d6","deprecated":false}],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-237540408.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-11-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":3197,"function_hash":"246213615877169029966090081243936282525"},"signature_type":"Function","target":{"function":"buzzBeepBlinkLocked","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-401edd44","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323724515043905430543994376006462360177","115894979338096264011054995498352607437","1470757861002783157935506182797325807","314131693363967520025389527100311765605"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-faef40a3","deprecated":false}],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-237540408.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323724515043905430543994376006462360177","115894979338096264011054995498352607437","1470757861002783157935506182797325807","314131693363967520025389527100311765605"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-1d3148a0","deprecated":false},{"signature_version":"v1","digest":{"length":3197,"function_hash":"246213615877169029966090081243936282525"},"signature_type":"Function","target":{"function":"buzzBeepBlinkLocked","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-473e2f41","deprecated":false}],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-237540408.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-11-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f"],"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":3197,"function_hash":"246213615877169029966090081243936282525"},"signature_type":"Function","target":{"function":"buzzBeepBlinkLocked","file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-0d6a8f7e","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["323724515043905430543994376006462360177","115894979338096264011054995498352607437","1470757861002783157935506182797325807","314131693363967520025389527100311765605"]},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/notification/NotificationManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/a367c0a16a9070ed6bee3028ac5bbc967773ee8f","id":"ASB-A-237540408-f0251864","deprecated":false}],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-237540408.json"}}],"schema_version":"1.7.5"}