ASB-A-322159724
See a problem?- Import Source
- https://storage.googleapis.com/android-osv/ASB-A-322159724.json
- JSON Data
- https://api.osv.dev/v1/vulns/ASB-A-322159724
- Aliases
-
- A-322159724
- CVE-2025-26436
- Published
- 2025-05-01T00:00:00Z
- Modified
- 2025-10-31T15:37:41.221363Z
- Summary
- [none]
- Details
-
In clearAllowBgActivityStarts of PendingIntentRecord.java, there is a possible way for an application to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- References
Affected packages
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/8aef21b72dca756458d25a42599779997d199f09",
"https://android.googlesource.com/platform/frameworks/base/+/155a686755e5012d591223c451304f3326dc2e78",
"https://android.googlesource.com/platform/frameworks/base/+/2e971059454eeea9b606ef82207d74da8e329ffb",
"https://android.googlesource.com/platform/frameworks/base/+/949e7bb75e395039af5bdf0aa4b48860fef69541",
"https://android.googlesource.com/platform/frameworks/base/+/47d6c81eeae1caa8046f462e7d33eea12596ee40"
],
"vanir_signatures": [
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/949e7bb75e395039af5bdf0aa4b48860fef69541",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-239b4587",
"digest": {
"length": 253.0,
"function_hash": "315486182850364949127928469199812375714"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/8aef21b72dca756458d25a42599779997d199f09",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "core/java/android/app/BackgroundStartPrivileges.java"
},
"id": "ASB-A-322159724-416ea0db",
"digest": {
"threshold": 0.9,
"line_hashes": [
"140324972588701563399622779436675594808",
"189175855062755696618764571833968255668",
"110200191040956553868099476272764448685",
"63182009325598389576527523211180589643",
"53473314845734032696094803870978734822",
"291689239766675943480922303454460553624",
"33284809939602731274305000772344269481"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/949e7bb75e395039af5bdf0aa4b48860fef69541",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-7141a522",
"digest": {
"threshold": 0.9,
"line_hashes": [
"157358754938284845613982363090240910252",
"59610454492610548974288646291090433672",
"295082130305306998400712104370381603540",
"14759753566145558162507436168420561129",
"140919906432398105885254842128516458790",
"231717026836224630004742934860254934765",
"57986125889589431174077115654383527120",
"110383594348804497376079792302428161801",
"314809216819262646191196963262594854849",
"218746184815822338996376944836947461896",
"21111582905543654275085867136118947091",
"182192959817663489366456996000903987168",
"164556153857773039381911463174105045332",
"155961361526780088295720291893358570490",
"259243682393625471474320241228040759871",
"265921537039890553574862626019136373254",
"137098668656390143979947525019901076086",
"156878625546252757426031199820665116829",
"18821610962952428631420024417186802733"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/155a686755e5012d591223c451304f3326dc2e78",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-72b6aeb6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"314809216819262646191196963262594854849",
"218746184815822338996376944836947461896",
"21111582905543654275085867136118947091",
"182192959817663489366456996000903987168",
"164556153857773039381911463174105045332",
"155961361526780088295720291893358570490",
"259243682393625471474320241228040759871",
"265921537039890553574862626019136373254",
"137098668656390143979947525019901076086",
"156878625546252757426031199820665116829",
"18821610962952428631420024417186802733"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/2e971059454eeea9b606ef82207d74da8e329ffb",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-778ea707",
"digest": {
"length": 406.0,
"function_hash": "181709421730445486207650155036023702660"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/155a686755e5012d591223c451304f3326dc2e78",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-a10c58e3",
"digest": {
"length": 253.0,
"function_hash": "315486182850364949127928469199812375714"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/2e971059454eeea9b606ef82207d74da8e329ffb",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-bcacba71",
"digest": {
"threshold": 0.9,
"line_hashes": [
"55330748717982221613000291851351143229",
"88378205502845250425650297713091170899",
"117761747866679811734908622187261801085",
"240505155764714865527177274672280018149",
"339583730990050844389031497161847120361",
"21111582905543654275085867136118947091",
"311960469164572102376860467559316594457",
"36044461724562767425445242174011386948",
"170301925657131867322239643947606210518",
"62704003656239088002029906578365862085",
"229428987748002570359703832632004744379",
"295668465503471019191988608292637769005",
"227184995023830380049037757018529965367",
"239758640369905727791299063475380977495",
"185493678557860530686563637193319173976",
"305544874504317442969204942778310661713",
"98705576916001734696347654018461022361",
"209129051487736159908991004345670112657",
"326437704643987457899361270427379641878"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/47d6c81eeae1caa8046f462e7d33eea12596ee40",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-dfccf278",
"digest": {
"length": 524.0,
"function_hash": "80058237329584594780203376554329353260"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/47d6c81eeae1caa8046f462e7d33eea12596ee40",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-ed3962fa",
"digest": {
"threshold": 0.9,
"line_hashes": [
"294271992208770975976798916283184130424",
"227226101568754964643080632120027219585",
"175049459769579240741505090227572852384",
"286267799777375507659600765173409972536",
"15664330603920672328685402164606316211",
"99347489135908108139513111670919890670",
"309904516899390070753115763255508997590",
"35476717184877944129975172831088688824"
]
},
"signature_type": "Line"
}
],
"severity": "High",
"spl": "2025-05-01"
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/4000e8055f66b33ffa1fef9bee23d998b9438114",
"https://android.googlesource.com/platform/frameworks/base/+/a71599c035472fe280132df64c5f5ee361ba0e92"
],
"vanir_signatures": [
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/a71599c035472fe280132df64c5f5ee361ba0e92",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-116da0bf",
"digest": {
"threshold": 0.9,
"line_hashes": [
"69485200170959747867766580826667431722",
"124523304366923857701084737675789408687",
"140919906432398105885254842128516458790",
"231717026836224630004742934860254934765",
"314809216819262646191196963262594854849",
"218746184815822338996376944836947461896",
"21111582905543654275085867136118947091",
"182192959817663489366456996000903987168",
"164556153857773039381911463174105045332",
"155961361526780088295720291893358570490",
"259243682393625471474320241228040759871",
"265921537039890553574862626019136373254",
"137098668656390143979947525019901076086",
"156878625546252757426031199820665116829",
"18821610962952428631420024417186802733"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/a71599c035472fe280132df64c5f5ee361ba0e92",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-34585641",
"digest": {
"length": 253.0,
"function_hash": "315486182850364949127928469199812375714"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/4000e8055f66b33ffa1fef9bee23d998b9438114",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "core/java/android/app/BackgroundStartPrivileges.java"
},
"id": "ASB-A-322159724-95ff982e",
"digest": {
"threshold": 0.9,
"line_hashes": [
"140324972588701563399622779436675594808",
"189175855062755696618764571833968255668",
"110200191040956553868099476272764448685",
"63182009325598389576527523211180589643",
"53473314845734032696094803870978734822",
"291689239766675943480922303454460553624",
"33284809939602731274305000772344269481"
]
},
"signature_type": "Line"
}
],
"severity": "High",
"spl": "2025-05-01"
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/f251732b0b46b6592300c6e33d48a5536ecb424d"
],
"vanir_signatures": [
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/f251732b0b46b6592300c6e33d48a5536ecb424d",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-5c307deb",
"digest": {
"length": 253.0,
"function_hash": "315486182850364949127928469199812375714"
},
"signature_type": "Function"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/f251732b0b46b6592300c6e33d48a5536ecb424d",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-f0647c97",
"digest": {
"threshold": 0.9,
"line_hashes": [
"86744341632652317859221224997612500422",
"302750388905306637353500155951585712634",
"105886694560362204149433112836581210405",
"287824009651713552637340138222040992468",
"136569886068479634570423766153844056987",
"314809216819262646191196963262594854849",
"218746184815822338996376944836947461896",
"21111582905543654275085867136118947091",
"182192959817663489366456996000903987168",
"164556153857773039381911463174105045332",
"155961361526780088295720291893358570490",
"259243682393625471474320241228040759871",
"33695723627737050972833778006378378268",
"173775256793180130943029590617846867638",
"314427528665349813562180704677424518206"
]
},
"signature_type": "Line"
}
],
"severity": "High",
"spl": "2025-05-01"
}
Android / platform/frameworks/base
Package
Ecosystem specific
{
"types": [
"EoP"
],
"fixes": [
"https://android.googlesource.com/platform/frameworks/base/+/5ea37ed9f0b1526c690a4edf02c36577635e43a6",
"https://android.googlesource.com/platform/frameworks/base/+/5782703d0f7c913477f1dd59b11e6e6e879199d9"
],
"vanir_signatures": [
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/5782703d0f7c913477f1dd59b11e6e6e879199d9",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-0bd9c229",
"digest": {
"threshold": 0.9,
"line_hashes": [
"86744341632652317859221224997612500422",
"302750388905306637353500155951585712634",
"105886694560362204149433112836581210405",
"287824009651713552637340138222040992468",
"136569886068479634570423766153844056987",
"314809216819262646191196963262594854849",
"218746184815822338996376944836947461896",
"21111582905543654275085867136118947091",
"182192959817663489366456996000903987168",
"164556153857773039381911463174105045332",
"155961361526780088295720291893358570490",
"259243682393625471474320241228040759871",
"265921537039890553574862626019136373254",
"137098668656390143979947525019901076086",
"156878625546252757426031199820665116829",
"18821610962952428631420024417186802733"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/5ea37ed9f0b1526c690a4edf02c36577635e43a6",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "core/java/android/app/BackgroundStartPrivileges.java"
},
"id": "ASB-A-322159724-542afb0a",
"digest": {
"threshold": 0.9,
"line_hashes": [
"140324972588701563399622779436675594808",
"189175855062755696618764571833968255668",
"110200191040956553868099476272764448685",
"63182009325598389576527523211180589643",
"53473314845734032696094803870978734822",
"291689239766675943480922303454460553624",
"33284809939602731274305000772344269481"
]
},
"signature_type": "Line"
},
{
"source": "https://android.googlesource.com/platform/frameworks/base/+/5782703d0f7c913477f1dd59b11e6e6e879199d9",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "clearAllowBgActivityStarts",
"file": "services/core/java/com/android/server/am/PendingIntentRecord.java"
},
"id": "ASB-A-322159724-553d6bf1",
"digest": {
"length": 253.0,
"function_hash": "315486182850364949127928469199812375714"
},
"signature_type": "Function"
}
],
"severity": "High",
"spl": "2025-05-01"
}