CVE-2022-20226 — UI Misrepresentation / Clickjacking in Google Android

CWE-1021 — UI Misrepresentation / Clickjacking5 documents5 sources

Severity

3.9LOWNVD

EPSS

0.0%

top 97.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform Frameworks Base Platform Frameworks Native Google Android

Timeline

PublishedJul 13

Latest updateJul 14

Description

In finishDrawingWindow of WindowManagerService.java, there is a possible tapjacking due to improper input validation. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12 Android-12LAndroid ID: A-213644870

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5google/androidAndroid-12 Android-12L

▶NVDgoogle/android12.0, 12.1+1

▶Androidplatform/frameworks_base12:0 — 12:2022-07-01+1

▶Androidplatform/frameworks_native12:0 — 12:2022-07-01+1

Patches

Patch: source.android.com ↗Patch: source.android.com ↗

🔴Vulnerability Details

GHSA

GHSA-gvcp-c7h5-4wjc: In finishDrawingWindow of WindowManagerService↗2022-07-14

▶

CVEList

CVE-2022-20226: In finishDrawingWindow of WindowManagerService↗2022-07-13

▶

OSV

CVE-2022-20226: In finishDrawingWindow of WindowManagerService↗2022-07-01

▶

📋Vendor Advisories

Android

CVE-2022-20226: Android Security Bulletin 2022-07-01 CVE: CVE-2022-20226 Severity: HIGH Type: EoP Affected AOSP versions: 12, 12L References: A-213644870 [2]↗2022-07-01

▶