{"id":"ASB-A-290086710","details":"In multiple functions of CameraService.cpp, there is a possible way to use the camera from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-290086710","CVE-2025-26440"],"modified":"2026-05-22T15:55:21.353668239Z","published":"2025-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-05-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/av/+/b9a047c94deb06ab7ff956e4fb50b19ddd70cf9a"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/b90d4d01e1bfaacae0e1f144075f72b1fb036799"}],"affected":[{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-05-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db"],"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db","digest":{"length":1656,"function_hash":"254202837061846832544589291245355270633"},"id":"ASB-A-290086710-51dbb89d","deprecated":false,"signature_type":"Function","target":{"file":"services/camera/libcameraservice/CameraService.cpp","function":"CameraService::BasicClient::opChanged"}},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db","digest":{"length":866,"function_hash":"302322008522747557019494382704664026732"},"id":"ASB-A-290086710-b21498a0","deprecated":false,"signature_type":"Function","target":{"file":"services/camera/libcameraservice/CameraService.cpp","function":"CameraService::BasicClient::startCameraOps"}},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ca1e0064d9dcb824e6c8eda8472e4623cea4c3db","digest":{"line_hashes":["287023254196078774974346117208349949074","71649452220605875848730161465198933078","257068969661533249716246651634082780533","32410912919073141206202916228112545218","425831353257704999743813501053022473","30648849819907695628208091309181388627","214176240908218353227764329756796466877","82556939667956581029247832626831654630","245052272985031328425942731442219873781","330931687319613007159986692846726124149","235720143994668494477436673907911073678","297963264748252115347413654939754396413","76761991812040438069226239587023531933","305271750055051743938661016042039615261","48056098082814772610986852440205103977","278703809251719793956423613461046183192","241247860131011694514509276441160619821","321167379323989853905497695244594083097","74781804252044493077812330606545515838"],"threshold":0.9},"id":"ASB-A-290086710-f55f1c71","deprecated":false,"signature_type":"Line","target":{"file":"services/camera/libcameraservice/CameraService.cpp"}}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-290086710.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-05-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d"],"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d","digest":{"length":1621,"function_hash":"180314858765852087668419592107383397938"},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java","function":"updateUidProcState"},"id":"ASB-A-290086710-640d978f","match_only_versions":["15-next"],"deprecated":false},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/356db3272814f8c7dd12ca2ddf27e812892e330d","digest":{"line_hashes":["149275339821518598722917024527968348981","234965234939914373346267562292934616488","313493199152730291669304169174276896435","210970471893246925949384473374949373825","218784459897775903464938288029826676044","96512608004077765210881459935368665346","323704604777256755927340224071007709092","249754007199575814856423182932898070124","9592093337908522306658155576396560329","126458199822259320344833441168839530670","98528291272017821678960970957259623871","249295992371111805370626937390377070599","199724485029716651248730890593484317687","15587083337449792691704181613098374200","131082735494167469451184927534036110516","236296243286739477343310733193468000050","121319889550130331067722205974429723008"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"},"id":"ASB-A-290086710-b91fe771","match_only_versions":["15-next"],"deprecated":false}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-290086710.json"}},{"package":{"name":"platform/frameworks/av","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-05-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266"],"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266","digest":{"length":854,"function_hash":"97766512600221642319392882677523302637"},"id":"ASB-A-290086710-30739c9a","signature_type":"Function","deprecated":false,"target":{"file":"services/camera/libcameraservice/CameraService.cpp","function":"CameraService::BasicClient::startCameraOps"}},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266","digest":{"length":1446,"function_hash":"167571658472021730968142249955636370346"},"signature_type":"Function","target":{"file":"services/camera/libcameraservice/CameraService.cpp","function":"CameraService::BasicClient::opChanged"},"id":"ASB-A-290086710-3a0191e3","match_only_versions":["14"],"deprecated":false},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/av/+/ecc539d95651d7a922c10f034f7ae3d30da67266","digest":{"line_hashes":["292675834663999425249988058118957286606","202921329713952831544222533617666843101","47363457268071049243787657159189036621","3797777419502649469374211243829159482","281014525697257549259804357936795495438","13475576899591971877570731765924552749","25044822316811889082213305146526822238","306435878378023010484809286992192104310","46751999356910679851987948580352956538","186891956017417490939703876673516835047","305271750055051743938661016042039615261","48056098082814772610986852440205103977","278703809251719793956423613461046183192","241247860131011694514509276441160619821","321167379323989853905497695244594083097"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/camera/libcameraservice/CameraService.cpp"},"id":"ASB-A-290086710-7792771f","match_only_versions":["14"],"deprecated":false}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-290086710.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-05-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649"],"types":["EoP"],"vanir_signatures":[{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649","digest":{"line_hashes":["218784459897775903464938288029826676044","96512608004077765210881459935368665346","323704604777256755927340224071007709092","249754007199575814856423182932898070124","9592093337908522306658155576396560329","126458199822259320344833441168839530670","98528291272017821678960970957259623871","249295992371111805370626937390377070599","199724485029716651248730890593484317687","15587083337449792691704181613098374200","131082735494167469451184927534036110516","236296243286739477343310733193468000050","121319889550130331067722205974429723008"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java"},"id":"ASB-A-290086710-23dd136f","match_only_versions":["14"],"deprecated":false},{"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c1b8ec5b8b79251289599f0bcd8fce9f355a3649","digest":{"length":1621,"function_hash":"180314858765852087668419592107383397938"},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/appop/AppOpsUidStateTrackerImpl.java","function":"updateUidProcState"},"id":"ASB-A-290086710-3a162573","match_only_versions":["14"],"deprecated":false}],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-290086710.json"}}],"schema_version":"1.7.5"}