{"id":"ASB-A-238605611", "published":"2022-11-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2022-20441", "A-238605611"], "details":"In navigateUpTo of Task.java, there is a possible way to launch an unexported intent handler due to a logic error in the code. This could lead to local escalation of privilege if the targeted app has an intent trampoline, with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2022-11-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670"], "severity":"High", "spl":"2022-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["133686240502154279773786091537619108093", "127422999342910536179245695135013393407", "67300099388067396301101616012652645851", "163337302695678712309673231316935163919"], "threshold":0.9}, "id":"ASB-A-238605611-3c102533", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670", "target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java"}}, {"deprecated":false, "digest":{"function_hash":"141808979057367176623854081047563148082", "length":2419}, "id":"ASB-A-238605611-9d53ae64", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/b9a934064598aa655fab4ce75c8eab6165409670", "target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java", "function":"navigateUpToLocked"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2022-11-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec"], "severity":"High", "spl":"2022-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"163152809231710033579916402524672977404", "length":2639}, "id":"ASB-A-238605611-91108326", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec", "target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java", "function":"navigateUpTo"}}, {"deprecated":false, "digest":{"line_hashes":["296617296869850907267513721048240912212", "263685780514689924530157676118455628991", "184954184224360563554526753095394000592", "274708570523028382735820840000386689045"], "threshold":0.9}, "id":"ASB-A-238605611-9b024acd", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/834812c423f10deb95953d41a7007d4cba78f1ec", "target":{"file":"services/core/java/com/android/server/wm/ActivityStack.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-11-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d"], "severity":"High", "spl":"2022-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["296617296869850907267513721048240912212", "263685780514689924530157676118455628991", "184954184224360563554526753095394000592", "274708570523028382735820840000386689045"], "threshold":0.9}, "id":"ASB-A-238605611-0ce50a76", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d", "target":{"file":"services/core/java/com/android/server/wm/Task.java"}}, {"deprecated":false, "digest":{"function_hash":"163152809231710033579916402524672977404", "length":2639}, "id":"ASB-A-238605611-f2e80d05", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d", "target":{"file":"services/core/java/com/android/server/wm/Task.java", "function":"navigateUpTo"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-11-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d"], "severity":"High", "spl":"2022-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["296617296869850907267513721048240912212", "263685780514689924530157676118455628991", "184954184224360563554526753095394000592", "274708570523028382735820840000386689045"], "threshold":0.9}, "id":"ASB-A-238605611-23f76833", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d", "target":{"file":"services/core/java/com/android/server/wm/Task.java"}}, {"deprecated":false, "digest":{"function_hash":"163152809231710033579916402524672977404", "length":2639}, "id":"ASB-A-238605611-b8dfb5b3", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/89ebc8c43f7d2aeaee4fdcf667f07aa98404981d", "target":{"file":"services/core/java/com/android/server/wm/Task.java", "function":"navigateUpTo"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2022-11-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3"], "severity":"High", "spl":"2022-11-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["296617296869850907267513721048240912212", "263685780514689924530157676118455628991", "184954184224360563554526753095394000592", "274708570523028382735820840000386689045"], "threshold":0.9}, "id":"ASB-A-238605611-4db27a7c", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3", "target":{"file":"services/core/java/com/android/server/wm/Task.java"}}, {"deprecated":false, "digest":{"function_hash":"253823414916555359442814760992698480359", "length":2633}, "id":"ASB-A-238605611-70327b87", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4c355690494f17c8ebdecbc8b1a1eaef21ffc0f3", "target":{"file":"services/core/java/com/android/server/wm/Task.java", "function":"navigateUpTo"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-11-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/54e57bbbd679cd7dd25c394d98ae399c8312a867"}]}