{"id":"ASB-A-242996180", "published":"2022-12-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2022-20611", "A-242996180"], "details":"In deletePackageVersionedInternal of DeletePackageHelper.java, there is a possible way to bypass carrier restrictions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"10:0"}, {"fixed":"10:2022-12-01"}]}], "versions":["10"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["39390702847566015400062155873899846122", "246170490382414263325557191844605501684", "260944426907168236295731190582074330076", "121045809211728814988130041147452091831"], "threshold":0.9}, "id":"ASB-A-242996180-6ec9cdda", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"67763629278575921625377399606801959615", "length":3171}, "id":"ASB-A-242996180-977b42e9", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2e42c393f2d5521d20acd9281d411a0fbc6196c3", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"deletePackageVersioned"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2022-12-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["39390702847566015400062155873899846122", "246170490382414263325557191844605501684", "327818450646080164831342029377344346321", "22063825501038404061765592845133788762"], "threshold":0.9}, "id":"ASB-A-242996180-0e29a94b", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"326849271406198245851570886586795310718", "length":3223}, "id":"ASB-A-242996180-bbf8b2a6", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fcdc62081c934d35a55ff7e511590337cb4e277a", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"deletePackageVersionedInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2022-12-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["39390702847566015400062155873899846122", "246170490382414263325557191844605501684", "250239728540596199841413986287882900414", "36545710774110723821234371419348385686"], "threshold":0.9}, "id":"ASB-A-242996180-33656dab", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"202255530113278639769155559530735938068", "length":3512}, "id":"ASB-A-242996180-ba061652", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/dba7ceb57ecdf9485bcfe8eb554510ccf9ad773c", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"deletePackageVersionedInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2022-12-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"202255530113278639769155559530735938068", "length":3512}, "id":"ASB-A-242996180-0b30ae2f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"deletePackageVersionedInternal"}}, {"deprecated":false, "digest":{"line_hashes":["39390702847566015400062155873899846122", "246170490382414263325557191844605501684", "250239728540596199841413986287882900414", "36545710774110723821234371419348385686"], "threshold":0.9}, "id":"ASB-A-242996180-8ee52784", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/cbda45eb956ec1f9105b45c5f995c1a15fba1c07", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2022-12-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c"], "severity":"High", "spl":"2022-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":true, "digest":{"line_hashes":["253720506657137965708815905571603292106", "72459550445661020850003662771714924553", "299946231570760129098164675720578506659"], "threshold":0.9}, "id":"ASB-A-242996180-584794b5", "match_only_versions":["13"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c", "target":{"file":"services/core/java/com/android/server/pm/DeletePackageHelper.java"}}, {"deprecated":true, "digest":{"function_hash":"51071305024780294137807663745819176638", "length":3684}, "id":"ASB-A-242996180-678072e1", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c", "target":{"file":"services/core/java/com/android/server/pm/DeletePackageHelper.java", "function":"deletePackageVersionedInternal"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2022-12-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/3ac6aa1e4daeb646bdb40813e988d1013d72150c"}]}