{"id":"ASB-A-256202273","details":"In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-256202273","CVE-2023-21116"],"modified":"2026-04-30T15:48:46.890647Z","published":"2023-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-05-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/08e20afd61c8a038503506e58bcf932360f19127"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/eecb1f05c7af24dc50fbc8425a8f64ee61ac2a05"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-05-01"}]}],"versions":["13-next"],"ecosystem_specific":{"severity":"Moderate","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586","https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e"],"spl":"2023-05-01","vanir_signatures":[{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586","id":"ASB-A-256202273-689b7777","signature_version":"v1","digest":{"length":1452,"function_hash":"237048816979219317842714686710299000619"}},{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e","id":"ASB-A-256202273-6cc4f59f","signature_version":"v1","digest":{"length":1956,"function_hash":"275082727597709184000753424244299309763"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e","id":"ASB-A-256202273-d4508c35","signature_version":"v1","digest":{"line_hashes":["63605175448109501863603615311893262621","173546225366185263187613276852006820736","326190137785252094978958267753154377116","121636430540856708905499819382202482171","12470100640675359785548563315199428325","136411639950493568324331406542339470391","52084349353168562900965281274036000023","192309566731849079405040014069155480488","240044076485628183343597920015476546646","15846213334126375409777482138026109401","319783504689076465904149502568402839711","12970867237909160669962964194154689035"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586","id":"ASB-A-256202273-f49fe111","signature_version":"v1","digest":{"line_hashes":["252983177159641901497723896441268108671","289387077589455534524918148746428779006","166768919924717948816029414026291778836","118651231370392224840236119108995357589","329066948714175627806594661537085099266","145223966657233973943848442135262436020","152484718102809675440709313061526254350","230304300726357595687715847273695966229","320009394454379053579531924820497384068","43546057785041335342916011230490229185","9246424559103928267710257347131600408","19143163316148291948041402688674573657","15846213334126375409777482138026109401","319783504689076465904149502568402839711","12970867237909160669962964194154689035","108587633537507210242609878158511307392"],"threshold":0.9}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-256202273.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"11:0"},{"fixed":"11:2023-05-01"}]}],"versions":["11"],"ecosystem_specific":{"severity":"Moderate","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee","https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1"],"spl":"2023-05-01","vanir_signatures":[{"signature_type":"Function","target":{"function":"installLocationPolicy","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1","id":"ASB-A-256202273-29b9f5a6","signature_version":"v1","digest":{"length":2261,"function_hash":"151921374874206919726116965175953254668"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1","id":"ASB-A-256202273-b8a8a16d","signature_version":"v1","digest":{"line_hashes":["222045767716832383749242769202942973343","172263085076743103645302221398148206822","18446807281274191545814384627051110285","112297621029225928974437681997739513542","331518267978878963206822687149281344246","250787900086695259348937561781946441234","160051001919916929319362551830565128885","197310569562891636888240421344010323645","51496819919166146182184529611958472721","271137473222270698938701965978340802630","255775851074356921542275084611197677254","201364310431016264446019349512943794105"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"installLocationPolicy","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee","id":"ASB-A-256202273-ef86efed","signature_version":"v1","digest":{"length":1826,"function_hash":"173837231139755839627835745645918749546"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee","id":"ASB-A-256202273-ef9b11e7","signature_version":"v1","digest":{"line_hashes":["323383019452950439022721587221536495956","141646107424512681860211450863645381191","232267897797497898648796255356180266969","2370870929644306747326625601258318868","224242779210801795990559495442269668968","178573985239065263248700329163361724145","5330287858347148278703152876231282746","302345260809465962585949430366062394237","80355994349317547252844873612813219058","124486400087777756658524270427987607217","95769274484975723426472180748048707264","64241799393178439299039606659250128714","62892260601654439480810485495744612527","146314910599677978638984550390834355582","241325659543729037384589779924087367784","17841186410307136095848426418010374499","201364310431016264446019349512943794105","132157817494603273266127851704263228499"],"threshold":0.9}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-256202273.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2023-05-01"}]}],"versions":["12"],"ecosystem_specific":{"severity":"Moderate","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1","https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9"],"spl":"2023-05-01","vanir_signatures":[{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9","id":"ASB-A-256202273-02759271","signature_version":"v1","digest":{"line_hashes":["63605175448109501863603615311893262621","250142924094795662928341993625371411063","18446807281274191545814384627051110285","340165447095735351540002167618760511049","248542275005549700453051888874914133157","136411639950493568324331406542339470391","52084349353168562900965281274036000023","249134487297397458092309921339558148163","233737105932200566546070308756911750531","258319162602653658646703650914315289041","295605658156574038169729860859021103416"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9","id":"ASB-A-256202273-4b6a4f7c","signature_version":"v1","digest":{"length":1563,"function_hash":"324227939287504300206201911245919687108"}},{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1","id":"ASB-A-256202273-9bac9516","signature_version":"v1","digest":{"length":1111,"function_hash":"250529198514725569443102932472638047305"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1","id":"ASB-A-256202273-9bf563d5","signature_version":"v1","digest":{"line_hashes":["131655243573161465468771858895034204693","291195504830007423434832839912940856673","163754913564646426883622002668483255590","227106837693655100677620947068783042509","104806414475779496517183112360544567596","266471921177581853385264246682457700002","5330287858347148278703152876231282746","302345260809465962585949430366062394237","80355994349317547252844873612813219058","124486400087777756658524270427987607217","95769274484975723426472180748048707264","64241799393178439299039606659250128714","62892260601654439480810485495744612527","45426094693595652196730483522232069233","122916161304883719854949885499528448722","328468289020675297204756527397870397097","295605658156574038169729860859021103416","108587633537507210242609878158511307392"],"threshold":0.9}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-256202273.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2023-05-01"}]}],"versions":["12L"],"ecosystem_specific":{"severity":"Moderate","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97","https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592"],"spl":"2023-05-01","vanir_signatures":[{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97","id":"ASB-A-256202273-556bc385","signature_version":"v1","digest":{"length":1111,"function_hash":"250529198514725569443102932472638047305"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97","id":"ASB-A-256202273-6313a522","signature_version":"v1","digest":{"line_hashes":["131655243573161465468771858895034204693","291195504830007423434832839912940856673","163754913564646426883622002668483255590","227106837693655100677620947068783042509","104806414475779496517183112360544567596","266471921177581853385264246682457700002","5330287858347148278703152876231282746","302345260809465962585949430366062394237","80355994349317547252844873612813219058","124486400087777756658524270427987607217","95769274484975723426472180748048707264","64241799393178439299039606659250128714","62892260601654439480810485495744612527","45426094693595652196730483522232069233","122916161304883719854949885499528448722","328468289020675297204756527397870397097","295605658156574038169729860859021103416","108587633537507210242609878158511307392"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592","id":"ASB-A-256202273-7dd07e5f","signature_version":"v1","digest":{"line_hashes":["63605175448109501863603615311893262621","250142924094795662928341993625371411063","18446807281274191545814384627051110285","340165447095735351540002167618760511049","248542275005549700453051888874914133157","136411639950493568324331406542339470391","52084349353168562900965281274036000023","249134487297397458092309921339558148163","233737105932200566546070308756911750531","258319162602653658646703650914315289041","295605658156574038169729860859021103416"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/PackageManagerService.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592","id":"ASB-A-256202273-c5b50012","signature_version":"v1","digest":{"length":1563,"function_hash":"324227939287504300206201911245919687108"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-256202273.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-05-01"}]}],"versions":["13"],"ecosystem_specific":{"severity":"Moderate","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667","https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637"],"spl":"2023-05-01","vanir_signatures":[{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637","id":"ASB-A-256202273-1ac3335d","signature_version":"v1","digest":{"length":1956,"function_hash":"275082727597709184000753424244299309763"}},{"signature_type":"Function","target":{"function":"verifyReplacingVersionCode","file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667","id":"ASB-A-256202273-3fbed38b","signature_version":"v1","digest":{"length":1452,"function_hash":"237048816979219317842714686710299000619"}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637","id":"ASB-A-256202273-5d5f71cc","signature_version":"v1","digest":{"line_hashes":["63605175448109501863603615311893262621","173546225366185263187613276852006820736","326190137785252094978958267753154377116","121636430540856708905499819382202482171","12470100640675359785548563315199428325","136411639950493568324331406542339470391","52084349353168562900965281274036000023","192309566731849079405040014069155480488","240044076485628183343597920015476546646","15846213334126375409777482138026109401","319783504689076465904149502568402839711","12970867237909160669962964194154689035"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667","id":"ASB-A-256202273-7d6c016f","signature_version":"v1","digest":{"line_hashes":["252983177159641901497723896441268108671","289387077589455534524918148746428779006","166768919924717948816029414026291778836","118651231370392224840236119108995357589","329066948714175627806594661537085099266","145223966657233973943848442135262436020","152484718102809675440709313061526254350","230304300726357595687715847273695966229","320009394454379053579531924820497384068","43546057785041335342916011230490229185","9246424559103928267710257347131600408","19143163316148291948041402688674573657","15846213334126375409777482138026109401","319783504689076465904149502568402839711","12970867237909160669962964194154689035","108587633537507210242609878158511307392"],"threshold":0.9}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-256202273.json"}}],"schema_version":"1.7.5"}