ASB-A-406243581

See a problem?

Import Source

https://storage.googleapis.com/android-osv/ASB-A-406243581.json

JSON Data

https://api.osv.dev/v1/vulns/ASB-A-406243581

Aliases

A-406243581
CVE-2025-48634

Published

2026-03-01T00:00:00Z

Modified

2026-03-18T16:30:34.336041Z

Summary

[none]

Details

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16-qpr2-next:0

Fixed

16-qpr2-next:2026-03-01

Affected versions

Other

16-qpr2-next

Ecosystem specific

{
    "types": [
        "EoP"
    ],
    "spl": "2026-03-01",
    "vanir_signatures": [
        {
            "id": "ASB-A-406243581-ed215e81",
            "digest": {
                "line_hashes": [
                    "112583862987529910522567824721871660130",
                    "189728754272288778320140357092676926841",
                    "140678696297236203857523858943838595476",
                    "291509775819964769957008111257006813343",
                    "229568372283406239577373304007358426862",
                    "189414961804717561348112178889594480441",
                    "180903832185307819131027470734712313519"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/ec6a92be6c93173fb5c61f95ff92e0f68fe0e951",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            }
        },
        {
            "id": "ASB-A-406243581-f4c2e690",
            "digest": {
                "function_hash": "279581721051398527638503601821170503552",
                "length": 11635.0
            },
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/ec6a92be6c93173fb5c61f95ff92e0f68fe0e951",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "relayoutWindow"
            }
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/ec6a92be6c93173fb5c61f95ff92e0f68fe0e951"
    ],
    "severity": "High"
}

Database specific

source

"https://storage.googleapis.com/android-osv/ASB-A-406243581.json"

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15:0

Fixed

15:2026-03-01

Affected versions

Other

Ecosystem specific

{
    "types": [
        "EoP"
    ],
    "spl": "2026-03-01",
    "vanir_signatures": [
        {
            "id": "ASB-A-406243581-6fa0a613",
            "digest": {
                "function_hash": "206320670549241016482915091670925069494",
                "length": 10959.0
            },
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/29c46c3d650fb67ff933fc6c904d15014158b332",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "relayoutWindowInner"
            }
        },
        {
            "id": "ASB-A-406243581-ce0956fd",
            "digest": {
                "line_hashes": [
                    "112583862987529910522567824721871660130",
                    "189728754272288778320140357092676926841",
                    "140678696297236203857523858943838595476",
                    "291509775819964769957008111257006813343",
                    "258875520015750802158282843496210785025",
                    "92206392459357694396348100288410649378",
                    "286176192243987583194537110423231071488"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/29c46c3d650fb67ff933fc6c904d15014158b332",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            }
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/29c46c3d650fb67ff933fc6c904d15014158b332",
        "https://android.googlesource.com/platform/frameworks/base/+/5714f42fb1a1ba2fc2c04d56bb979e07fe19b8b2"
    ],
    "severity": "High"
}

Database specific

source

"https://storage.googleapis.com/android-osv/ASB-A-406243581.json"

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16:0

Fixed

16:2026-03-01

Affected versions

Other

Ecosystem specific

{
    "types": [
        "EoP"
    ],
    "spl": "2026-03-01",
    "vanir_signatures": [
        {
            "id": "ASB-A-406243581-5525f276",
            "digest": {
                "line_hashes": [
                    "112583862987529910522567824721871660130",
                    "189728754272288778320140357092676926841",
                    "140678696297236203857523858943838595476",
                    "291509775819964769957008111257006813343",
                    "258875520015750802158282843496210785025",
                    "92206392459357694396348100288410649378",
                    "286176192243987583194537110423231071488"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3d9b1584cee3013a374b4bfbcd7a3a75723d5379",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            }
        },
        {
            "id": "ASB-A-406243581-7d995324",
            "digest": {
                "function_hash": "94430360263907152526751612673174960663",
                "length": 10749.0
            },
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3d9b1584cee3013a374b4bfbcd7a3a75723d5379",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "relayoutWindow"
            }
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3d9b1584cee3013a374b4bfbcd7a3a75723d5379"
    ],
    "severity": "High"
}

Database specific

source

"https://storage.googleapis.com/android-osv/ASB-A-406243581.json"

Android / platform/frameworks/base

Package

Name: platform/frameworks/base

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14:0

Fixed

14:2026-03-01

Affected versions

Other

Ecosystem specific

{
    "types": [
        "EoP"
    ],
    "spl": "2026-03-01",
    "vanir_signatures": [
        {
            "id": "ASB-A-406243581-9f1ff602",
            "digest": {
                "function_hash": "28785521871887049764891649859350298238",
                "length": 10179.0
            },
            "signature_type": "Function",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3493e4a41abf3fcb8b41450a8a2e8bcf9190d1e3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java",
                "function": "relayoutWindow"
            }
        },
        {
            "id": "ASB-A-406243581-f2a1a216",
            "digest": {
                "line_hashes": [
                    "112583862987529910522567824721871660130",
                    "189728754272288778320140357092676926841",
                    "295516143435131289960592876169986754761",
                    "232869217442341220934629217606644293733",
                    "258875520015750802158282843496210785025",
                    "9581110405437095469757627657481320544",
                    "104224205874430344868761495841613970321"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://android.googlesource.com/platform/frameworks/base/+/3493e4a41abf3fcb8b41450a8a2e8bcf9190d1e3",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "services/core/java/com/android/server/wm/WindowManagerService.java"
            }
        }
    ],
    "fixes": [
        "https://android.googlesource.com/platform/frameworks/base/+/3493e4a41abf3fcb8b41450a8a2e8bcf9190d1e3"
    ],
    "severity": "High"
}

Database specific

source

"https://storage.googleapis.com/android-osv/ASB-A-406243581.json"