{"id":"ASB-A-242996180","details":"In deletePackageVersionedInternal of DeletePackageHelper.java, there is a possible way to bypass carrier restrictions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-242996180","CVE-2022-20611"],"modified":"2026-05-01T15:24:27.653932Z","published":"2022-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2022-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"10:0"},{"fixed":"10:2022-12-01"}]}],"versions":["10"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"id":"ASB-A-242996180-6ec9cdda","digest":{"threshold":0.9,"line_hashes":["39390702847566015400062155873899846122","246170490382414263325557191844605501684","260944426907168236295731190582074330076","121045809211728814988130041147452091831"]},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3","signature_type":"Line","signature_version":"v1"},{"id":"ASB-A-242996180-977b42e9","digest":{"length":3171,"function_hash":"67763629278575921625377399606801959615"},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java","function":"deletePackageVersioned"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3","signature_type":"Function","signature_version":"v1"}],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242996180.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2022-12-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"id":"ASB-A-242996180-0e29a94b","digest":{"threshold":0.9,"line_hashes":["39390702847566015400062155873899846122","246170490382414263325557191844605501684","327818450646080164831342029377344346321","22063825501038404061765592845133788762"]},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a","signature_type":"Line","signature_version":"v1"},{"id":"ASB-A-242996180-bbf8b2a6","digest":{"length":3223,"function_hash":"326849271406198245851570886586795310718"},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java","function":"deletePackageVersionedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a","signature_type":"Function","signature_version":"v1"}],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242996180.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2022-12-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"id":"ASB-A-242996180-33656dab","digest":{"threshold":0.9,"line_hashes":["39390702847566015400062155873899846122","246170490382414263325557191844605501684","250239728540596199841413986287882900414","36545710774110723821234371419348385686"]},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c","signature_type":"Line","signature_version":"v1"},{"id":"ASB-A-242996180-ba061652","digest":{"length":3512,"function_hash":"202255530113278639769155559530735938068"},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java","function":"deletePackageVersionedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c","signature_type":"Function","signature_version":"v1"}],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242996180.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2022-12-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"id":"ASB-A-242996180-0b30ae2f","digest":{"length":3512,"function_hash":"202255530113278639769155559530735938068"},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java","function":"deletePackageVersionedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07","signature_type":"Function","signature_version":"v1"},{"id":"ASB-A-242996180-8ee52784","digest":{"threshold":0.9,"line_hashes":["39390702847566015400062155873899846122","246170490382414263325557191844605501684","250239728540596199841413986287882900414","36545710774110723821234371419348385686"]},"deprecated":false,"target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07","signature_type":"Line","signature_version":"v1"}],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242996180.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2022-12-01"}]}],"versions":["13"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["253720506657137965708815905571603292106","72459550445661020850003662771714924553","299946231570760129098164675720578506659"]},"match_only_versions":["13"],"source":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c","id":"ASB-A-242996180-584794b5","deprecated":true,"signature_version":"v1","target":{"file":"services/core/java/com/android/server/pm/DeletePackageHelper.java"},"signature_type":"Line"},{"id":"ASB-A-242996180-678072e1","digest":{"length":3684,"function_hash":"51071305024780294137807663745819176638"},"deprecated":true,"target":{"file":"services/core/java/com/android/server/pm/DeletePackageHelper.java","function":"deletePackageVersionedInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c","signature_type":"Function","signature_version":"v1"}],"spl":"2022-12-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-242996180.json"}}],"schema_version":"1.7.5"}