In enqueueNotificationInternal of NotificationManagerService.java, there is a possible way to run a foreground service without showing a notification due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "240037727117598053934682089445336783166", "329474040879582449953478552907453855546", "174673651793102388188071638934257456124", "259588229805424313728476384333440510658", "155696764481876506922343483232310471129" ] }, "id": "ASB-A-191981182-533baa6b", "source": "https://android.googlesource.com/platform/frameworks/base/+/b6b2906ea6472d182e6ae03c581a63802cd84f08", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 3611.0, "function_hash": "196748049840613594069406754919439538533" }, "id": "ASB-A-191981182-a4fa6473", "source": "https://android.googlesource.com/platform/frameworks/base/+/b6b2906ea6472d182e6ae03c581a63802cd84f08", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java", "function": "enqueueNotificationInternal" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/b6b2906ea6472d182e6ae03c581a63802cd84f08" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 4610.0, "function_hash": "72877579714271495606303148392477615046" }, "id": "ASB-A-191981182-93d7ece6", "source": "https://android.googlesource.com/platform/frameworks/base/+/cb3c5c30092fb8527ff14118ccf04eae3a8363cb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java", "function": "enqueueNotificationInternal" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "13549590592486121308503808933030620588", "148911571839698110200170276866997909263", "212918861559158536384170514703963432599", "269490775990843939007528372060340186886" ] }, "id": "ASB-A-191981182-e10fe9cb", "source": "https://android.googlesource.com/platform/frameworks/base/+/cb3c5c30092fb8527ff14118ccf04eae3a8363cb", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/cb3c5c30092fb8527ff14118ccf04eae3a8363cb" ], "spl": "2022-07-01", "severity": "High", "types": [ "EoP" ] }