ASB-A-326571066

See a problem?

Import Source

https://storage.googleapis.com/android-osv/ASB-A-326571066.json

JSON Data

https://api.osv.dev/v1/vulns/ASB-A-326571066

Aliases

A-326571066
CVE-2025-48627

Published

2025-12-01T00:00:00Z

Modified

2025-12-12T17:17:34.115444Z

Summary

[none]

Details

In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

https://source.android.com/security/bulletin/2025-12-01

Affected packages

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16-qpr2-next:0

Fixed

16-qpr2-next:2025-12-01

Affected versions

Other

16-qpr2-next

Ecosystem specific

{
    "spl": "2025-12-01",
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "125986606726625882285234545796372220868",
                "length": 3049.0
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/d34ae40f870d4362a069940a035a4d58a536a231",
            "id": "ASB-A-326571066-3e815315",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java",
                "function": "startNextMatchingActivity"
            },
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "38744322835598934261403143159623226430",
                    "319403857700301660382094419642529203765",
                    "258830789992759248493789321732060780627",
                    "30767152278663014052777514754286447248",
                    "333186094094834558329410338961478831156",
                    "156801257386743303490337615679846431758",
                    "277619237961344534668546512755178425564",
                    "233392774852901342234222876334376782423",
                    "143294482730940875398179024393826938036",
                    "266500950927352471030922760289034248797",
                    "155407033172669539942562292483222869242",
                    "305036455271346379281266795436063368708"
                ]
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/d34ae40f870d4362a069940a035a4d58a536a231",
            "id": "ASB-A-326571066-5c811f8a",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java"
            },
            "signature_version": "v1",
            "signature_type": "Line"
        }
    ],
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/d34ae40f870d4362a069940a035a4d58a536a231"
    ],
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13:0

Fixed

13:2025-12-01

Affected versions

Other

Ecosystem specific

{
    "spl": "2025-12-01",
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "226137044291057222073173857474781459336",
                "length": 2945.0
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/916e96afc82f99deef42d889b1206b50c03f8209",
            "id": "ASB-A-326571066-7e2b9ee3",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java",
                "function": "startNextMatchingActivity"
            },
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "38744322835598934261403143159623226430",
                    "319403857700301660382094419642529203765",
                    "258830789992759248493789321732060780627",
                    "43787942809969134241995743940759675676",
                    "296249654319491159679879059860441239785",
                    "30767152278663014052777514754286447248",
                    "333186094094834558329410338961478831156",
                    "156801257386743303490337615679846431758",
                    "277619237961344534668546512755178425564",
                    "233392774852901342234222876334376782423",
                    "143294482730940875398179024393826938036",
                    "266500950927352471030922760289034248797",
                    "252846042200044892050975798432609940730",
                    "336331804868354126233717638681934759592"
                ]
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/916e96afc82f99deef42d889b1206b50c03f8209",
            "id": "ASB-A-326571066-c21dcabc",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java"
            },
            "signature_version": "v1",
            "signature_type": "Line"
        }
    ],
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/916e96afc82f99deef42d889b1206b50c03f8209"
    ],
    "types": [
        "EoP"
    ]
}

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14:0

Fixed

14:2025-12-01

Affected versions

Other

Ecosystem specific

{
    "spl": "2025-12-01",
    "vanir_signatures": [
        {
            "digest": {
                "function_hash": "226137044291057222073173857474781459336",
                "length": 2945.0
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/008a27811ad65dd826f040b7d1e7366b0c9f917e",
            "id": "ASB-A-326571066-14bfa2d8",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java",
                "function": "startNextMatchingActivity"
            },
            "signature_version": "v1",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "38744322835598934261403143159623226430",
                    "319403857700301660382094419642529203765",
                    "258830789992759248493789321732060780627",
                    "43787942809969134241995743940759675676",
                    "296249654319491159679879059860441239785",
                    "30767152278663014052777514754286447248",
                    "333186094094834558329410338961478831156",
                    "156801257386743303490337615679846431758",
                    "277619237961344534668546512755178425564",
                    "177809087579538070238245537243034007378",
                    "269362116107589722058194574776708902081",
                    "53221371259381438459360905865126339575",
                    "155046736446939757154999034983477504036",
                    "64531953434324119995642499705604382882",
                    "333516042649489253463512250328517668790",
                    "311103090027810912653217446501431600245",
                    "311545419293262592779433611898598004330",
                    "64422315487152615121553626652131733082",
                    "233392774852901342234222876334376782423",
                    "143294482730940875398179024393826938036",
                    "266500950927352471030922760289034248797",
                    "252846042200044892050975798432609940730",
                    "336331804868354126233717638681934759592",
                    "146113047732805261016662476579002387606",
                    "280989723271764441248974080608782019831"
                ]
            },
            "source": "https://android.googlesource.com/platform/frameworks/base/+/008a27811ad65dd826f040b7d1e7366b0c9f917e",
            "id": "ASB-A-326571066-ff94ccd2",
            "deprecated": false,
            "target": {
                "file": "services/core/java/com/android/server/wm/ActivityTaskManagerService.java"
            },
            "signature_version": "v1",
            "signature_type": "Line"
        }
    ],
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/008a27811ad65dd826f040b7d1e7366b0c9f917e"
    ],
    "types": [
        "EoP"
    ]
}