ASB-A-290086710

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-290086710.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-290086710
Aliases
  • A-290086710
  • CVE-2025-26440
Published
2025-05-01T00:00:00Z
Modified
2025-05-05T15:31:23Z
Summary
[none]
Details

In multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15-next:0
Fixed
15-next:2025-05-01

Affected versions

Other

15-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 1656.0,
                "function_hash": "254202837061846832544589291245355270633"
            },
            "id": "ASB-A-290086710-51dbb89d",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp",
                "function": "CameraService::BasicClient::opChanged"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 866.0,
                "function_hash": "302322008522747557019494382704664026732"
            },
            "id": "ASB-A-290086710-b21498a0",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp",
                "function": "CameraService::BasicClient::startCameraOps"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "287023254196078774974346117208349949074",
                    "71649452220605875848730161465198933078",
                    "257068969661533249716246651634082780533",
                    "32410912919073141206202916228112545218",
                    "425831353257704999743813501053022473",
                    "30648849819907695628208091309181388627",
                    "214176240908218353227764329756796466877",
                    "82556939667956581029247832626831654630",
                    "245052272985031328425942731442219873781",
                    "330931687319613007159986692846726124149",
                    "235720143994668494477436673907911073678",
                    "297963264748252115347413654939754396413",
                    "76761991812040438069226239587023531933",
                    "305271750055051743938661016042039615261",
                    "48056098082814772610986852440205103977",
                    "278703809251719793956423613461046183192",
                    "241247860131011694514509276441160619821",
                    "321167379323989853905497695244594083097",
                    "74781804252044493077812330606545515838"
                ]
            },
            "id": "ASB-A-290086710-f55f1c71",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db"
    ],
    "spl": "2025-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15-next:0
Fixed
15-next:2025-05-01

Affected versions

Other

15-next

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "15-next"
            ],
            "digest": {
                "length": 1621.0,
                "function_hash": "180314858765852087668419592107383397938"
            },
            "id": "ASB-A-290086710-640d978f",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java",
                "function": "updateUidProcState"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "15-next"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "149275339821518598722917024527968348981",
                    "234965234939914373346267562292934616488",
                    "313493199152730291669304169174276896435",
                    "210970471893246925949384473374949373825",
                    "218784459897775903464938288029826676044",
                    "96512608004077765210881459935368665346",
                    "323704604777256755927340224071007709092",
                    "249754007199575814856423182932898070124",
                    "9592093337908522306658155576396560329",
                    "126458199822259320344833441168839530670",
                    "98528291272017821678960970957259623871",
                    "249295992371111805370626937390377070599",
                    "199724485029716651248730890593484317687",
                    "15587083337449792691704181613098374200",
                    "131082735494167469451184927534036110516",
                    "236296243286739477343310733193468000050",
                    "121319889550130331067722205974429723008"
                ]
            },
            "id": "ASB-A-290086710-b91fe771",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d"
    ],
    "spl": "2025-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/av

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2025-05-01

Affected versions

Other

14

Ecosystem specific

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 854.0,
                "function_hash": "97766512600221642319392882677523302637"
            },
            "id": "ASB-A-290086710-30739c9a",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp",
                "function": "CameraService::BasicClient::startCameraOps"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "14"
            ],
            "digest": {
                "length": 1446.0,
                "function_hash": "167571658472021730968142249955636370346"
            },
            "id": "ASB-A-290086710-3a0191e3",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp",
                "function": "CameraService::BasicClient::opChanged"
            },
            "signature_type": "Function"
        },
        {
            "match_only_versions": [
                "14"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "292675834663999425249988058118957286606",
                    "202921329713952831544222533617666843101",
                    "47363457268071049243787657159189036621",
                    "3797777419502649469374211243829159482",
                    "281014525697257549259804357936795495438",
                    "13475576899591971877570731765924552749",
                    "25044822316811889082213305146526822238",
                    "306435878378023010484809286992192104310",
                    "46751999356910679851987948580352956538",
                    "186891956017417490939703876673516835047",
                    "305271750055051743938661016042039615261",
                    "48056098082814772610986852440205103977",
                    "278703809251719793956423613461046183192",
                    "241247860131011694514509276441160619821",
                    "321167379323989853905497695244594083097"
                ]
            },
            "id": "ASB-A-290086710-7792771f",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/camera/libcameraservice/CameraService.cpp"
            },
            "signature_type": "Line"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266"
    ],
    "spl": "2025-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2025-05-01

Affected versions

Other

14

Ecosystem specific

{
    "vanir_signatures": [
        {
            "match_only_versions": [
                "14"
            ],
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "218784459897775903464938288029826676044",
                    "96512608004077765210881459935368665346",
                    "323704604777256755927340224071007709092",
                    "249754007199575814856423182932898070124",
                    "9592093337908522306658155576396560329",
                    "126458199822259320344833441168839530670",
                    "98528291272017821678960970957259623871",
                    "249295992371111805370626937390377070599",
                    "199724485029716651248730890593484317687",
                    "15587083337449792691704181613098374200",
                    "131082735494167469451184927534036110516",
                    "236296243286739477343310733193468000050",
                    "121319889550130331067722205974429723008"
                ]
            },
            "id": "ASB-A-290086710-23dd136f",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"
            },
            "signature_type": "Line"
        },
        {
            "match_only_versions": [
                "14"
            ],
            "digest": {
                "length": 1621.0,
                "function_hash": "180314858765852087668419592107383397938"
            },
            "id": "ASB-A-290086710-3a162573",
            "source": "https://googleplex-android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java",
                "function": "updateUidProcState"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649"
    ],
    "spl": "2025-05-01",
    "severity": "High",
    "types": [
        "EoP"
    ]
}