{"id":"ASB-A-326485767","details":"In updateServicesLocked of AccessibilityManagerService.java, there is a possible way for an app to be hidden from the Setting while retaining Accessibility Service  due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-326485767","CVE-2024-31322"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2024-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2024-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/c1bc907a649addd5b97d489fd39afb956164a46c"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14-next:0"},{"fixed":"14-next:2024-06-01"}]}],"versions":["14-next"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/74ab528e54558b5a78a9b0f32a2e3f0a61714ae5","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"updateServicesLocked"},"digest":{"function_hash":"125819437784231376011864688327948081010","length":1936},"signature_version":"v1","signature_type":"Function","id":"ASB-A-326485767-3e5d69e0"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/74ab528e54558b5a78a9b0f32a2e3f0a61714ae5","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"id":"ASB-A-326485767-f6e72910","signature_version":"v1","digest":{"line_hashes":["203559070635639168501251831115072699849","110995883530772940642188919209479069590","79433123240605589203927884978662908669","17282063580431758823195469718657335965","29241121102181293544482375847729051410","32916341052150067112772034552314723220","83684619035523255534892517589474714090","241844383312430506646807325760702564423","146927061287855307579181888815117374125","32016434898657174529706919366923317883","71083680968358107861588739952857861883"],"threshold":0.9},"signature_type":"Line"}],"spl":"2024-06-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/74ab528e54558b5a78a9b0f32a2e3f0a61714ae5"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-326485767.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2024-06-01"}]}],"versions":["12"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["16351716779938417858222206942405565388","318233294777691992028525546815303117132","69102399445628845693840405755057925358","17282063580431758823195469718657335965","29241121102181293544482375847729051410","32916341052150067112772034552314723220","83684619035523255534892517589474714090","241844383312430506646807325760702564423","146927061287855307579181888815117374125","32016434898657174529706919366923317883","128209730887649040410085733263337595484"],"threshold":0.9},"id":"ASB-A-326485767-42808d95"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"updateServicesLocked"},"digest":{"function_hash":"237481197364134205644156268512456040514","length":1702},"signature_version":"v1","signature_type":"Function","id":"ASB-A-326485767-94947aaf"}],"spl":"2024-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/5405514a23edcba0cf30e6ec78189e3f4e7d95cf"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-326485767.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2024-06-01"}]}],"versions":["12L"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["16351716779938417858222206942405565388","318233294777691992028525546815303117132","69102399445628845693840405755057925358","17282063580431758823195469718657335965","29241121102181293544482375847729051410","32916341052150067112772034552314723220","83684619035523255534892517589474714090","241844383312430506646807325760702564423","146927061287855307579181888815117374125","32016434898657174529706919366923317883","128209730887649040410085733263337595484"]},"id":"ASB-A-326485767-37a1a064"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"updateServicesLocked"},"signature_type":"Function","signature_version":"v1","digest":{"function_hash":"237481197364134205644156268512456040514","length":1702},"id":"ASB-A-326485767-92640f7b"}],"spl":"2024-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/412427d7a8c99fd0470483a5a20b50ba8642a1db"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-326485767.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2024-06-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["16351716779938417858222206942405565388","318233294777691992028525546815303117132","69102399445628845693840405755057925358","17282063580431758823195469718657335965","29241121102181293544482375847729051410","32916341052150067112772034552314723220","83684619035523255534892517589474714090","241844383312430506646807325760702564423","146927061287855307579181888815117374125","32016434898657174529706919366923317883","128209730887649040410085733263337595484"]},"deprecated":false,"target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846","signature_version":"v1","signature_type":"Line","id":"ASB-A-326485767-8a83a444"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"updateServicesLocked"},"id":"ASB-A-326485767-8f6d884a","signature_version":"v1","digest":{"function_hash":"237481197364134205644156268512456040514","length":1702},"signature_type":"Function"}],"spl":"2024-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/766911c3312573196b33efd1c3c29ccece806846"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-326485767.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2024-06-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java"},"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["203559070635639168501251831115072699849","110995883530772940642188919209479069590","79433123240605589203927884978662908669","17282063580431758823195469718657335965","29241121102181293544482375847729051410","32916341052150067112772034552314723220","83684619035523255534892517589474714090","241844383312430506646807325760702564423","146927061287855307579181888815117374125","32016434898657174529706919366923317883","71083680968358107861588739952857861883"]},"id":"ASB-A-326485767-adef4a9a"},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f","target":{"file":"services/accessibility/java/com/android/server/accessibility/AccessibilityManagerService.java","function":"updateServicesLocked"},"id":"ASB-A-326485767-e560472a","signature_version":"v1","digest":{"function_hash":"125819437784231376011864688327948081010","length":1936},"signature_type":"Function"}],"spl":"2024-06-01","severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/f6192d3a77520d40b6a93de8f45400e19f5ba29f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-326485767.json"}}],"schema_version":"1.7.5"}