In deleteNotificationChannelGroup of NotificationManagerService.java, there is a possible way to run foreground service without user notification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 938.0, "function_hash": "290951079311518025289317428185156220612" }, "id": "ASB-A-209965481-89535daa", "source": "https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java", "function": "deleteNotificationChannelGroup" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "173889726864008581084648463149435370300", "262354977986027050444883349883546099729", "116899640845663794669050955193302776547", "28379216899964308584113511307080112261", "205349936232972022306123209987308556028", "45791029998817299130183393007229542476", "33911891339796287344364179616506003964", "56300563857206841818173955179521150177" ] }, "id": "ASB-A-209965481-968f1c8d", "source": "https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/6456b622fd39115001478b6fad2f45f50b65f30a" ], "spl": "2022-03-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "173889726864008581084648463149435370300", "262354977986027050444883349883546099729", "116899640845663794669050955193302776547", "28379216899964308584113511307080112261", "205349936232972022306123209987308556028", "45791029998817299130183393007229542476", "33911891339796287344364179616506003964", "56300563857206841818173955179521150177" ] }, "id": "ASB-A-209965481-08082901", "source": "https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java" }, "signature_type": "Line" }, { "digest": { "length": 939.0, "function_hash": "50702968381490164283789956219436653491" }, "id": "ASB-A-209965481-78b3483d", "source": "https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java", "function": "deleteNotificationChannelGroup" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/37a28db7f586de3bad3e9dff3afc4356bfb8bb76" ], "spl": "2022-03-01", "severity": "High", "types": [ "EoP" ] }
{ "vanir_signatures": [ { "digest": { "length": 939.0, "function_hash": "50702968381490164283789956219436653491" }, "id": "ASB-A-209965481-513a7a6f", "source": "https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java", "function": "deleteNotificationChannelGroup" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "173889726864008581084648463149435370300", "262354977986027050444883349883546099729", "116899640845663794669050955193302776547", "28379216899964308584113511307080112261", "205349936232972022306123209987308556028", "45791029998817299130183393007229542476", "33911891339796287344364179616506003964", "56300563857206841818173955179521150177" ] }, "id": "ASB-A-209965481-fbbaa0ab", "source": "https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86", "deprecated": false, "signature_version": "v1", "target": { "file": "services/core/java/com/android/server/notification/NotificationManagerService.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/539eaff7d59d645382f8a3ee1ea661c31d13ff86" ], "spl": "2022-03-01", "severity": "High", "types": [ "EoP" ] }