{"id":"ASB-A-240138294", "published":"2022-12-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2022-20474", "A-240138294"], "details":"In readLazyValue of Parcel.java, there is a possible loading of arbitrary code into the System Settings app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2022-12-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"220950197671026908620116892012269337281", "length":2612}, "id":"ASB-A-240138294-00727c86", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"line_hashes":["65744354714521746236409576191947554438", "336100995050413396604471046648600747849", "46174948320726816946394223971298634080", "204359576054625082268789891801367566762", "208991286625372726279956857582409591002", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "131094452132685235150002717794774811759", "218046355958882751674254932052378610608", "202670327038763020310835509548705256826", "319808544072902901818988794735872465308", "294963086035200924983677506496592561929", "266889227588429636352149285826247001618", "287536587174859972781888474519565795358", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513"], "threshold":0.9}, "id":"ASB-A-240138294-083f2460", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"283194143277269717748301748310619667576", "length":2210}, "id":"ASB-A-240138294-48619685", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"156948064075838632746183658421607701443", "length":1604}, "id":"ASB-A-240138294-70c5336a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"38370320216997995420236719490943001759", "length":1167}, "id":"ASB-A-240138294-aa21fefb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"checkKeyIntent"}}, {"deprecated":false, "digest":{"function_hash":"106863402836542716138093788315930033614", "length":5385}, "id":"ASB-A-240138294-f0320297", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"getAuthToken"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2022-12-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"106863402836542716138093788315930033614", "length":5385}, "id":"ASB-A-240138294-139dbec5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"getAuthToken"}}, {"deprecated":false, "digest":{"function_hash":"38370320216997995420236719490943001759", "length":1167}, "id":"ASB-A-240138294-1436e0f9", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"checkKeyIntent"}}, {"deprecated":false, "digest":{"function_hash":"156948064075838632746183658421607701443", "length":1604}, "id":"ASB-A-240138294-1732870c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"220950197671026908620116892012269337281", "length":2612}, "id":"ASB-A-240138294-2b210912", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"283194143277269717748301748310619667576", "length":2210}, "id":"ASB-A-240138294-7fbdde97", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"line_hashes":["65744354714521746236409576191947554438", "336100995050413396604471046648600747849", "46174948320726816946394223971298634080", "204359576054625082268789891801367566762", "208991286625372726279956857582409591002", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "131094452132685235150002717794774811759", "218046355958882751674254932052378610608", "202670327038763020310835509548705256826", "319808544072902901818988794735872465308", "294963086035200924983677506496592561929", "266889227588429636352149285826247001618", "287536587174859972781888474519565795358", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513"], "threshold":0.9}, "id":"ASB-A-240138294-b3500800", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-12-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"283194143277269717748301748310619667576", "length":2210}, "id":"ASB-A-240138294-0bab2a56", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"38370320216997995420236719490943001759", "length":1167}, "id":"ASB-A-240138294-0ce8adbc", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"checkKeyIntent"}}, {"deprecated":false, "digest":{"function_hash":"106863402836542716138093788315930033614", "length":5385}, "id":"ASB-A-240138294-3d4a9fae", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"getAuthToken"}}, {"deprecated":false, "digest":{"function_hash":"156948064075838632746183658421607701443", "length":1604}, "id":"ASB-A-240138294-421b1bbd", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"line_hashes":["65744354714521746236409576191947554438", "336100995050413396604471046648600747849", "46174948320726816946394223971298634080", "204359576054625082268789891801367566762", "208991286625372726279956857582409591002", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "131094452132685235150002717794774811759", "218046355958882751674254932052378610608", "202670327038763020310835509548705256826", "319808544072902901818988794735872465308", "294963086035200924983677506496592561929", "266889227588429636352149285826247001618", "287536587174859972781888474519565795358", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513"], "threshold":0.9}, "id":"ASB-A-240138294-eeb2db13", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"220950197671026908620116892012269337281", "length":2612}, "id":"ASB-A-240138294-ff13d04d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-12-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"156948064075838632746183658421607701443", "length":1604}, "id":"ASB-A-240138294-03adb9b5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"38370320216997995420236719490943001759", "length":1167}, "id":"ASB-A-240138294-175b0f49", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"checkKeyIntent"}}, {"deprecated":false, "digest":{"line_hashes":["65744354714521746236409576191947554438", "336100995050413396604471046648600747849", "46174948320726816946394223971298634080", "204359576054625082268789891801367566762", "208991286625372726279956857582409591002", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "131094452132685235150002717794774811759", "218046355958882751674254932052378610608", "202670327038763020310835509548705256826", "319808544072902901818988794735872465308", "294963086035200924983677506496592561929", "266889227588429636352149285826247001618", "287536587174859972781888474519565795358", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513"], "threshold":0.9}, "id":"ASB-A-240138294-79172dc1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"283194143277269717748301748310619667576", "length":2210}, "id":"ASB-A-240138294-8878cac2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"106863402836542716138093788315930033614", "length":5385}, "id":"ASB-A-240138294-bda1d53e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"getAuthToken"}}, {"deprecated":false, "digest":{"function_hash":"220950197671026908620116892012269337281", "length":2612}, "id":"ASB-A-240138294-dd9281ac", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eb9a0566a583fa13f8aff671c41f78a9e33eab82", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2022-12-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964", "https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"119819233901957715080604570772080806263", "length":1140}, "id":"ASB-A-240138294-0152ae22", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"checkKeyIntent"}}, {"deprecated":false, "digest":{"function_hash":"65631911930041298540002693789372037050", "length":362}, "id":"ASB-A-240138294-05719152", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964", "target":{"file":"core/java/android/os/Parcel.java", "function":"readLazyValue"}}, {"deprecated":false, "digest":{"function_hash":"172104913434305629063826639954111096960", "length":5627}, "id":"ASB-A-240138294-11ef425f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"getAuthToken"}}, {"deprecated":false, "digest":{"line_hashes":["231045337660171488666168590541471054540", "248523352219235644303151030262148233029", "314133701034599983666413107751200451172", "252501481589049757718974268511663338499"], "threshold":0.9}, "id":"ASB-A-240138294-1e47334d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/34683275498914ece5ee9435846b7b429ccfc964", "target":{"file":"core/java/android/os/Parcel.java"}}, {"deprecated":false, "digest":{"function_hash":"283194143277269717748301748310619667576", "length":2210}, "id":"ASB-A-240138294-2062c6cd", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"220950197671026908620116892012269337281", "length":2612}, "id":"ASB-A-240138294-2e349a7e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"function_hash":"156948064075838632746183658421607701443", "length":1604}, "id":"ASB-A-240138294-d1d77d12", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java", "function":"onResult"}}, {"deprecated":false, "digest":{"line_hashes":["197401720662816539459617790767298463363", "297452927230242983594296518816596032312", "243543373481505492379459454436153318386", "204359576054625082268789891801367566762", "208991286625372726279956857582409591002", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513", "131094452132685235150002717794774811759", "218046355958882751674254932052378610608", "202670327038763020310835509548705256826", "319808544072902901818988794735872465308", "294963086035200924983677506496592561929", "266889227588429636352149285826247001618", "287536587174859972781888474519565795358", "73315145992809006133637400549815878830", "294424605946274934913008858286110933628", "39620355197721807861858985648559892713", "122050568306174614461067255367068473513"], "threshold":0.9}, "id":"ASB-A-240138294-f61d7e48", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ba27731d04d95bf4b17c41a5d85aac09c39b9329", "target":{"file":"services/core/java/com/android/server/accounts/AccountManagerService.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-12-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/569c3023f839bca077cd3cccef0a3bef9c31af63"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/1e41d33566f84f624f6a755e4493432d5bd82915"}]}