{"id":"ASB-A-256202273", "published":"2023-05-01T00:00:00Z", "modified":"2026-05-01T15:24:27.653932157Z", "aliases":["CVE-2023-21116", "A-256202273"], "details":"In verifyReplacingVersionCode of InstallPackageHelper.java, there is a possible way to downgrade system apps below system image version due to a logic error in the code. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13-next:0"}, {"fixed":"13-next:2023-05-01"}]}], "versions":["13-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e"], "severity":"Moderate", "spl":"2023-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"237048816979219317842714686710299000619", "length":1452}, "id":"ASB-A-256202273-689b7777", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"function_hash":"275082727597709184000753424244299309763", "length":1956}, "id":"ASB-A-256202273-6cc4f59f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"line_hashes":["63605175448109501863603615311893262621", "173546225366185263187613276852006820736", "326190137785252094978958267753154377116", "121636430540856708905499819382202482171", "12470100640675359785548563315199428325", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "192309566731849079405040014069155480488", "240044076485628183343597920015476546646", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035"], "threshold":0.9}, "id":"ASB-A-256202273-d4508c35", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/ceeca68b8c3f0ed8427b0212f63defe2f075146e", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"}}, {"deprecated":false, "digest":{"line_hashes":["252983177159641901497723896441268108671", "289387077589455534524918148746428779006", "166768919924717948816029414026291778836", "118651231370392224840236119108995357589", "329066948714175627806594661537085099266", "145223966657233973943848442135262436020", "152484718102809675440709313061526254350", "230304300726357595687715847273695966229", "320009394454379053579531924820497384068", "43546057785041335342916011230490229185", "9246424559103928267710257347131600408", "19143163316148291948041402688674573657", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035", "108587633537507210242609878158511307392"], "threshold":0.9}, "id":"ASB-A-256202273-f49fe111", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a4484d7f1be1fa413258fe18644d61f85611f586", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"11:0"}, {"fixed":"11:2023-05-01"}]}], "versions":["11"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1"], "severity":"Moderate", "spl":"2023-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"151921374874206919726116965175953254668", "length":2261}, "id":"ASB-A-256202273-29b9f5a6", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"installLocationPolicy"}}, {"deprecated":false, "digest":{"line_hashes":["222045767716832383749242769202942973343", "172263085076743103645302221398148206822", "18446807281274191545814384627051110285", "112297621029225928974437681997739513542", "331518267978878963206822687149281344246", "250787900086695259348937561781946441234", "160051001919916929319362551830565128885", "197310569562891636888240421344010323645", "51496819919166146182184529611958472721", "271137473222270698938701965978340802630", "255775851074356921542275084611197677254", "201364310431016264446019349512943794105"], "threshold":0.9}, "id":"ASB-A-256202273-b8a8a16d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/341669af524058dd4c64a176ddc54ada589591e1", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"173837231139755839627835745645918749546", "length":1826}, "id":"ASB-A-256202273-ef86efed", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"installLocationPolicy"}}, {"deprecated":false, "digest":{"line_hashes":["323383019452950439022721587221536495956", "141646107424512681860211450863645381191", "232267897797497898648796255356180266969", "2370870929644306747326625601258318868", "224242779210801795990559495442269668968", "178573985239065263248700329163361724145", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "146314910599677978638984550390834355582", "241325659543729037384589779924087367784", "17841186410307136095848426418010374499", "201364310431016264446019349512943794105", "132157817494603273266127851704263228499"], "threshold":0.9}, "id":"ASB-A-256202273-ef9b11e7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/aec76152d65cfd5774f6c0dcf4cb6009ba48c1ee", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2023-05-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9"], "severity":"Moderate", "spl":"2023-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["63605175448109501863603615311893262621", "250142924094795662928341993625371411063", "18446807281274191545814384627051110285", "340165447095735351540002167618760511049", "248542275005549700453051888874914133157", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "249134487297397458092309921339558148163", "233737105932200566546070308756911750531", "258319162602653658646703650914315289041", "295605658156574038169729860859021103416"], "threshold":0.9}, "id":"ASB-A-256202273-02759271", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"324227939287504300206201911245919687108", "length":1563}, "id":"ASB-A-256202273-4b6a4f7c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/636cdf22b90ccb4866f380c307b7e1b92da03ed9", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"function_hash":"250529198514725569443102932472638047305", "length":1111}, "id":"ASB-A-256202273-9bac9516", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"line_hashes":["131655243573161465468771858895034204693", "291195504830007423434832839912940856673", "163754913564646426883622002668483255590", "227106837693655100677620947068783042509", "104806414475779496517183112360544567596", "266471921177581853385264246682457700002", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "45426094693595652196730483522232069233", "122916161304883719854949885499528448722", "328468289020675297204756527397870397097", "295605658156574038169729860859021103416", "108587633537507210242609878158511307392"], "threshold":0.9}, "id":"ASB-A-256202273-9bf563d5", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/cc9d3867082ac1518b7264c3752442f5ca112aa1", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2023-05-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592"], "severity":"Moderate", "spl":"2023-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"250529198514725569443102932472638047305", "length":1111}, "id":"ASB-A-256202273-556bc385", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"line_hashes":["131655243573161465468771858895034204693", "291195504830007423434832839912940856673", "163754913564646426883622002668483255590", "227106837693655100677620947068783042509", "104806414475779496517183112360544567596", "266471921177581853385264246682457700002", "5330287858347148278703152876231282746", "302345260809465962585949430366062394237", "80355994349317547252844873612813219058", "124486400087777756658524270427987607217", "95769274484975723426472180748048707264", "64241799393178439299039606659250128714", "62892260601654439480810485495744612527", "45426094693595652196730483522232069233", "122916161304883719854949885499528448722", "328468289020675297204756527397870397097", "295605658156574038169729860859021103416", "108587633537507210242609878158511307392"], "threshold":0.9}, "id":"ASB-A-256202273-6313a522", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/eada93575f98dfc12854dbdcf54b6e5c6d417b97", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"line_hashes":["63605175448109501863603615311893262621", "250142924094795662928341993625371411063", "18446807281274191545814384627051110285", "340165447095735351540002167618760511049", "248542275005549700453051888874914133157", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "249134487297397458092309921339558148163", "233737105932200566546070308756911750531", "258319162602653658646703650914315289041", "295605658156574038169729860859021103416"], "threshold":0.9}, "id":"ASB-A-256202273-7dd07e5f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"324227939287504300206201911245919687108", "length":1563}, "id":"ASB-A-256202273-c5b50012", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8e804c13abb3773e417638251490fce369766592", "target":{"file":"services/core/java/com/android/server/pm/PackageManagerService.java", "function":"verifyReplacingVersionCode"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2023-05-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637"], "severity":"Moderate", "spl":"2023-05-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"275082727597709184000753424244299309763", "length":1956}, "id":"ASB-A-256202273-1ac3335d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"function_hash":"237048816979219317842714686710299000619", "length":1452}, "id":"ASB-A-256202273-3fbed38b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java", "function":"verifyReplacingVersionCode"}}, {"deprecated":false, "digest":{"line_hashes":["63605175448109501863603615311893262621", "173546225366185263187613276852006820736", "326190137785252094978958267753154377116", "121636430540856708905499819382202482171", "12470100640675359785548563315199428325", "136411639950493568324331406542339470391", "52084349353168562900965281274036000023", "192309566731849079405040014069155480488", "240044076485628183343597920015476546646", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035"], "threshold":0.9}, "id":"ASB-A-256202273-5d5f71cc", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14a91d2bc85a633de67584b27f4cef58c1645637", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"}}, {"deprecated":false, "digest":{"line_hashes":["252983177159641901497723896441268108671", "289387077589455534524918148746428779006", "166768919924717948816029414026291778836", "118651231370392224840236119108995357589", "329066948714175627806594661537085099266", "145223966657233973943848442135262436020", "152484718102809675440709313061526254350", "230304300726357595687715847273695966229", "320009394454379053579531924820497384068", "43546057785041335342916011230490229185", "9246424559103928267710257347131600408", "19143163316148291948041402688674573657", "15846213334126375409777482138026109401", "319783504689076465904149502568402839711", "12970867237909160669962964194154689035", "108587633537507210242609878158511307392"], "threshold":0.9}, "id":"ASB-A-256202273-7d6c016f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/224da6d4c2579c01f88fb0bac9fd4c0f16ebe667", "target":{"file":"services/core/java/com/android/server/pm/InstallPackageHelper.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2023-05-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/08e20afd61c8a038503506e58bcf932360f19127"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/eecb1f05c7af24dc50fbc8425a8f64ee61ac2a05"}]}