{"id":"ASB-A-213644870", "published":"2022-07-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2022-20226", "A-213644870"], "details":"In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-07-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208"], "severity":"High", "spl":"2022-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["10283689925970767745039467515145839613", "262447069286773819783877630469413526772", "42710371276610711414791601201715173153", "166183720595856650804928134883908547633", "30102194167949942252975857073123632582", "123398118123314661349505762760018517105", "204405425560196390556035502911962567381"], "threshold":0.9}, "id":"ASB-A-213644870-040d226c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208", "target":{"file":"core/jni/android_view_SurfaceControl.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["109308593953997389863375467451930133254", "94699768790438915482765790682681872288", "110023916072507408757555310022252388335", "215111910697632882604036026239049292193"], "threshold":0.9}, "id":"ASB-A-213644870-2c31844f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}, {"deprecated":false, "digest":{"line_hashes":["38968290403228463353837298513432406102", "304528173058242274849033339504350305354", "101157398416841870061643836720504773637", "113105747347854439447263763515229602544", "291314025743564295420860371659408652795", "314047888469450165801136092425354257071", "189991891994099775720685819681100013572"], "threshold":0.9}, "id":"ASB-A-213644870-30b72434", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208", "target":{"file":"core/java/android/view/SurfaceControl.java"}}, {"deprecated":false, "digest":{"function_hash":"83958915429775838570512321188110188733", "length":639}, "id":"ASB-A-213644870-712e9848", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c54faf3e691b3d952f649756578eab6f8a5d3208", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"finishDrawingWindow"}}]}}, {"package":{"name":"platform/frameworks/native", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-07-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b"], "severity":"High", "spl":"2022-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["158316474625177380927379967336735792071", "210021420014394732488362221031205883846", "331030268047125451190618899420805559668"], "threshold":0.9}, "id":"ASB-A-213644870-74f915ea", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b", "target":{"file":"libs/gui/LayerState.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["332381021113198560895429062369073948349", "44331992766085121825441615548065094219", "88217928992512580016909342481436155673", "160599368510002579484529369188586086302"], "threshold":0.9}, "id":"ASB-A-213644870-d16defad", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b", "target":{"file":"libs/gui/include/gui/SurfaceComposerClient.h"}}, {"deprecated":false, "digest":{"line_hashes":["205641342065023842371091921530500723954", "278129404744689785468040558095339977043", "168828413441837664234458638552152734678", "12733264191246206875023833473909259006", "321795751002210282708716128041769480703", "91632105569992995968658733557942439857", "79537943416717662722743741558961208950", "157395701064132088622923284380667498154"], "threshold":0.9}, "id":"ASB-A-213644870-e9482da3", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b", "target":{"file":"libs/gui/include/gui/LayerState.h"}}, {"deprecated":false, "digest":{"line_hashes":["17440762063016278011988741857659065229", "106802602803923500112653028896911190638", "335430823114812336836988704439893870037", "103400400102260454088510578413313457032", "310169275428447047405242217820035451", "240320211232283025739686553089665140019"], "threshold":0.9}, "id":"ASB-A-213644870-eceff298", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b", "target":{"file":"libs/gui/SurfaceComposerClient.cpp"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-07-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905"], "severity":"High", "spl":"2022-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"83958915429775838570512321188110188733", "length":639}, "id":"ASB-A-213644870-2d1f9dbf", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"finishDrawingWindow"}}, {"deprecated":false, "digest":{"line_hashes":["109308593953997389863375467451930133254", "94699768790438915482765790682681872288", "110023916072507408757555310022252388335", "215111910697632882604036026239049292193"], "threshold":0.9}, "id":"ASB-A-213644870-3ba944f6", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}, {"deprecated":false, "digest":{"line_hashes":["206710912623225518822118118418562316887", "308209011028749043628053711427160371938", "12209304743745958707138099709119970222", "292317412448276784155305856665001322196", "291314025743564295420860371659408652795", "314047888469450165801136092425354257071", "189991891994099775720685819681100013572"], "threshold":0.9}, "id":"ASB-A-213644870-480a01eb", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905", "target":{"file":"core/java/android/view/SurfaceControl.java"}}, {"deprecated":false, "digest":{"line_hashes":["10283689925970767745039467515145839613", "262447069286773819783877630469413526772", "42710371276610711414791601201715173153", "149154735167034948074364255221988351201", "291211340028722230894985854103626517125", "117274481847790116195683706567649776575", "214026053996811510671851429925048764"], "threshold":0.9}, "id":"ASB-A-213644870-a62fa883", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905", "target":{"file":"core/jni/android_view_SurfaceControl.cpp"}}]}}, {"package":{"name":"platform/frameworks/native", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-07-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67"], "severity":"High", "spl":"2022-07-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["332381021113198560895429062369073948349", "44331992766085121825441615548065094219", "88217928992512580016909342481436155673", "160599368510002579484529369188586086302"], "threshold":0.9}, "id":"ASB-A-213644870-20040708", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67", "target":{"file":"libs/gui/include/gui/SurfaceComposerClient.h"}}, {"deprecated":false, "digest":{"line_hashes":["158316474625177380927379967336735792071", "210021420014394732488362221031205883846", "331030268047125451190618899420805559668"], "threshold":0.9}, "id":"ASB-A-213644870-3e24d18f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67", "target":{"file":"libs/gui/LayerState.cpp"}}, {"deprecated":false, "digest":{"line_hashes":["205641342065023842371091921530500723954", "278129404744689785468040558095339977043", "168828413441837664234458638552152734678", "12733264191246206875023833473909259006", "321795751002210282708716128041769480703", "91632105569992995968658733557942439857", "79537943416717662722743741558961208950", "157395701064132088622923284380667498154"], "threshold":0.9}, "id":"ASB-A-213644870-4c807467", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67", "target":{"file":"libs/gui/include/gui/LayerState.h"}}, {"deprecated":false, "digest":{"line_hashes":["17440762063016278011988741857659065229", "106802602803923500112653028896911190638", "335430823114812336836988704439893870037", "103400400102260454088510578413313457032", "310169275428447047405242217820035451", "240320211232283025739686553089665140019"], "threshold":0.9}, "id":"ASB-A-213644870-575bf847", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/native/+/ade0d07ba1ae18d9aee25b22ff6ef49599217f67", "target":{"file":"libs/gui/SurfaceComposerClient.cpp"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-07-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/native/+/1ff38ab351a617c4870eec236b70932ff2c4473b"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/20303e05bf73796124ab70a279cf849b61b97905"}]}