{"id":"ASB-A-238605611","details":"In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code. This could lead to local escalation of privilege if the targeted app has an intent trampoline, with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-238605611","CVE-2022-20441"],"modified":"2026-05-28T15:16:54.500952700Z","published":"2022-11-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-11-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/54e57bbbd679cd7dd25c394d98ae399c8312a867"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-11-01"}]}],"versions":["10"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670","digest":{"line_hashes":["133686240502154279773786091537619108093","127422999342910536179245695135013393407","67300099388067396301101616012652645851","163337302695678712309673231316935163919"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-238605611-3c102533"},{"target":{"function":"navigateUpToLocked","file":"services/core/java/com/android/server/wm/ActivityStack.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670","digest":{"length":2419,"function_hash":"141808979057367176623854081047563148082"},"signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-238605611-9d53ae64"}],"severity":"High","spl":"2022-11-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238605611.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-11-01"}]}],"versions":["11"],"ecosystem_specific":{"vanir_signatures":[{"target":{"function":"navigateUpTo","file":"services/core/java/com/android/server/wm/ActivityStack.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec","digest":{"length":2639,"function_hash":"163152809231710033579916402524672977404"},"signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-238605611-91108326"},{"target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec","digest":{"line_hashes":["296617296869850907267513721048240912212","263685780514689924530157676118455628991","184954184224360563554526753095394000592","274708570523028382735820840000386689045"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-238605611-9b024acd"}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec"],"severity":"High","types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238605611.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-11-01"}]}],"versions":["12"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d"],"vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/wm/Task.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d","digest":{"line_hashes":["296617296869850907267513721048240912212","263685780514689924530157676118455628991","184954184224360563554526753095394000592","274708570523028382735820840000386689045"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-238605611-0ce50a76"},{"target":{"function":"navigateUpTo","file":"services/core/java/com/android/server/wm/Task.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d","digest":{"length":2639,"function_hash":"163152809231710033579916402524672977404"},"signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-238605611-f2e80d05"}],"severity":"High","spl":"2022-11-01","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238605611.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-11-01"}]}],"versions":["12L"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d","digest":{"line_hashes":["296617296869850907267513721048240912212","263685780514689924530157676118455628991","184954184224360563554526753095394000592","274708570523028382735820840000386689045"],"threshold":0.9},"id":"ASB-A-238605611-23f76833","deprecated":false,"signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/Task.java"}},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d","digest":{"length":2639,"function_hash":"163152809231710033579916402524672977404"},"id":"ASB-A-238605611-b8dfb5b3","deprecated":false,"signature_type":"Function","target":{"function":"navigateUpTo","file":"services/core/java/com/android/server/wm/Task.java"}}],"severity":"High","types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238605611.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-11-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3","digest":{"line_hashes":["296617296869850907267513721048240912212","263685780514689924530157676118455628991","184954184224360563554526753095394000592","274708570523028382735820840000386689045"],"threshold":0.9},"id":"ASB-A-238605611-4db27a7c","deprecated":false,"signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/Task.java"}},{"target":{"function":"navigateUpTo","file":"services/core/java/com/android/server/wm/Task.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3","digest":{"length":2633,"function_hash":"253823414916555359442814760992698480359"},"id":"ASB-A-238605611-70327b87","deprecated":false,"signature_type":"Function","signature_version":"v1"}],"severity":"High","types":["EoP"],"spl":"2022-11-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-238605611.json"}}],"schema_version":"1.7.5"}