ASB-A-409780975

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-409780975.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-409780975
Aliases
Published
2025-09-01T00:00:00Z
Modified
2026-04-17T15:55:28.020024Z
Summary
[none]
Details

In startSpaActivityForApp of SpaActivity.kt, there is a possible cross-user permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / platform/packages/apps/Settings

Package

Name
platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
16-next:0
Fixed
16-next:2025-09-01

Affected versions

Other
16-next

Ecosystem specific 

{
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/b2ee5ccf5b79d50cf53a86716042f0e2d7ff42ad"
    ],
    "spl": "2025-09-01",
    "types": [
        "EoP"
    ]
}

Database specific

source 
"https://storage.googleapis.com/android-osv/ASB-A-409780975.json"

Android / platform/packages/apps/Settings

Package

Name
platform/packages/apps/Settings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14:0
Fixed
14:2025-09-01

Affected versions

Other
14

Ecosystem specific 

{
    "severity": "High",
    "fixes": [
        "https://android.googlesource.com/platform/packages/apps/Settings/+/65bb641d78c146921693ef894c3bdebc5b87660d"
    ],
    "spl": "2025-09-01",
    "types": [
        "EoP"
    ]
}

Database specific

source 
"https://storage.googleapis.com/android-osv/ASB-A-409780975.json"