ASB-A-290086710
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-290086710.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-290086710
- Aliases
-
- A-290086710
- CVE-2025-26440
- Published
- 2025-05-01T00:00:00Z
- Modified
- 2025-05-05T15:31:23Z
- Summary
- [none]
- Details
-
In multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/frameworks/av
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 1656.0,
"function_hash": "254202837061846832544589291245355270633"
},
"id": "ASB-A-290086710-51dbb89d",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp",
"function": "CameraService::BasicClient::opChanged"
},
"signature_type": "Function"
},
{
"digest": {
"length": 866.0,
"function_hash": "302322008522747557019494382704664026732"
},
"id": "ASB-A-290086710-b21498a0",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp",
"function": "CameraService::BasicClient::startCameraOps"
},
"signature_type": "Function"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"287023254196078774974346117208349949074",
"71649452220605875848730161465198933078",
"257068969661533249716246651634082780533",
"32410912919073141206202916228112545218",
"425831353257704999743813501053022473",
"30648849819907695628208091309181388627",
"214176240908218353227764329756796466877",
"82556939667956581029247832626831654630",
"245052272985031328425942731442219873781",
"330931687319613007159986692846726124149",
"235720143994668494477436673907911073678",
"297963264748252115347413654939754396413",
"76761991812040438069226239587023531933",
"305271750055051743938661016042039615261",
"48056098082814772610986852440205103977",
"278703809251719793956423613461046183192",
"241247860131011694514509276441160619821",
"321167379323989853905497695244594083097",
"74781804252044493077812330606545515838"
]
},
"id": "ASB-A-290086710-f55f1c71",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db"
],
"spl": "2025-05-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"vanir_signatures": [
{
"match_only_versions": [
"15-next"
],
"digest": {
"length": 1621.0,
"function_hash": "180314858765852087668419592107383397938"
},
"id": "ASB-A-290086710-640d978f",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java",
"function": "updateUidProcState"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"15-next"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"149275339821518598722917024527968348981",
"234965234939914373346267562292934616488",
"313493199152730291669304169174276896435",
"210970471893246925949384473374949373825",
"218784459897775903464938288029826676044",
"96512608004077765210881459935368665346",
"323704604777256755927340224071007709092",
"249754007199575814856423182932898070124",
"9592093337908522306658155576396560329",
"126458199822259320344833441168839530670",
"98528291272017821678960970957259623871",
"249295992371111805370626937390377070599",
"199724485029716651248730890593484317687",
"15587083337449792691704181613098374200",
"131082735494167469451184927534036110516",
"236296243286739477343310733193468000050",
"121319889550130331067722205974429723008"
]
},
"id": "ASB-A-290086710-b91fe771",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d"
],
"spl": "2025-05-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/av
Package
Ecosystem specific
{
"vanir_signatures": [
{
"digest": {
"length": 854.0,
"function_hash": "97766512600221642319392882677523302637"
},
"id": "ASB-A-290086710-30739c9a",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp",
"function": "CameraService::BasicClient::startCameraOps"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"14"
],
"digest": {
"length": 1446.0,
"function_hash": "167571658472021730968142249955636370346"
},
"id": "ASB-A-290086710-3a0191e3",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp",
"function": "CameraService::BasicClient::opChanged"
},
"signature_type": "Function"
},
{
"match_only_versions": [
"14"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"292675834663999425249988058118957286606",
"202921329713952831544222533617666843101",
"47363457268071049243787657159189036621",
"3797777419502649469374211243829159482",
"281014525697257549259804357936795495438",
"13475576899591971877570731765924552749",
"25044822316811889082213305146526822238",
"306435878378023010484809286992192104310",
"46751999356910679851987948580352956538",
"186891956017417490939703876673516835047",
"305271750055051743938661016042039615261",
"48056098082814772610986852440205103977",
"278703809251719793956423613461046183192",
"241247860131011694514509276441160619821",
"321167379323989853905497695244594083097"
]
},
"id": "ASB-A-290086710-7792771f",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/camera/libcameraservice/CameraService.cpp"
},
"signature_type": "Line"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266"
],
"spl": "2025-05-01",
"severity": "High",
"types": [
"EoP"
]
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"vanir_signatures": [
{
"match_only_versions": [
"14"
],
"digest": {
"threshold": 0.9,
"line_hashes": [
"218784459897775903464938288029826676044",
"96512608004077765210881459935368665346",
"323704604777256755927340224071007709092",
"249754007199575814856423182932898070124",
"9592093337908522306658155576396560329",
"126458199822259320344833441168839530670",
"98528291272017821678960970957259623871",
"249295992371111805370626937390377070599",
"199724485029716651248730890593484317687",
"15587083337449792691704181613098374200",
"131082735494167469451184927534036110516",
"236296243286739477343310733193468000050",
"121319889550130331067722205974429723008"
]
},
"id": "ASB-A-290086710-23dd136f",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"
},
"signature_type": "Line"
},
{
"match_only_versions": [
"14"
],
"digest": {
"length": 1621.0,
"function_hash": "180314858765852087668419592107383397938"
},
"id": "ASB-A-290086710-3a162573",
"source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java",
"function": "updateUidProcState"
},
"signature_type": "Function"
}
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649"
],
"spl": "2025-05-01",
"severity": "High",
"types": [
"EoP"
]
}