{"id":"ASB-A-301952571","details":"In DefaultTransitionHandler.java, there is a possible way to unknowingly grant permissions to an app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-301952571","CVE-2025-48639"],"modified":"2026-04-03T15:37:31.002635Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/cc34c7b416b964c05a42ae3e9c2929b59b92c64f"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/6d1697c96c5cae5062f6aea58cf2665b7d646cb8"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2025-12-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/34f7093f864616059caad72366409ab1b4792675"],"vanir_signatures":[{"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/transition/DefaultTransitionHandler.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/34f7093f864616059caad72366409ab1b4792675","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-3a792091","digest":{"threshold":0.9,"line_hashes":["102376982044160493164054560424829740992","66499418353376395208915744637021515921","130252057911911557120901590373891803764","290301398973385244038766360757378904818"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2025-12-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/626f4201c51f294dbf1dd37034aa8bd2cd549826"],"vanir_signatures":[{"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/626f4201c51f294dbf1dd37034aa8bd2cd549826","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-00e74b31","digest":{"threshold":0.9,"line_hashes":["5394850696851107489683868258220425241","118260498044634936657883368239434792272","111512741543011694653014009302648536530"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-12-01"}]}],"versions":["15"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1d37fc960d93d216e151d74662ccc5d53fd68978"],"vanir_signatures":[{"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/transition/DefaultTransitionHandler.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/1d37fc960d93d216e151d74662ccc5d53fd68978","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-7562e2de","digest":{"threshold":0.9,"line_hashes":["248856889590144885621918607836282539025","144531626938778448552179873240849072977","106039877743107897291918924499970282509","188457292567742801376067883879181012870"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-12-01"}]}],"versions":["15"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/a1c211a49aff429e54e9d0f41649ab18c1b4e22d"],"vanir_signatures":[{"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/a1c211a49aff429e54e9d0f41649ab18c1b4e22d","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-863a7e80","digest":{"threshold":0.9,"line_hashes":["154201780020139837239759456663197568923","307574667483685234664799342826226447129","111512741543011694653014009302648536530"]}},{"target":{"function":"InputDispatcher::canWindowReceiveMotionLocked","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/a1c211a49aff429e54e9d0f41649ab18c1b4e22d","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-301952571-fa767d19","digest":{"length":1841,"function_hash":"293883125124188735835403008805557989755"}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-12-01"}]}],"versions":["16"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/71d67882398e9a28c268e19d5a5d66ff7632c4ed"],"vanir_signatures":[{"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/transition/DefaultTransitionHandler.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/71d67882398e9a28c268e19d5a5d66ff7632c4ed","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-6f7088c2","digest":{"threshold":0.9,"line_hashes":["248856889590144885621918607836282539025","170601685298913636518152436052267910966","130252057911911557120901590373891803764","290301398973385244038766360757378904818"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-12-01"}]}],"versions":["16"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/61b3b73116cb7fc760683db1d02e6466522aacbf"],"vanir_signatures":[{"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/61b3b73116cb7fc760683db1d02e6466522aacbf","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-5dc813ca","digest":{"threshold":0.9,"line_hashes":["5394850696851107489683868258220425241","118260498044634936657883368239434792272","111512741543011694653014009302648536530"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-12-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1e9412266ede59c046b83ad3a3fbfcaba94a1787"],"vanir_signatures":[{"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/transition/DefaultTransitionHandler.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/1e9412266ede59c046b83ad3a3fbfcaba94a1787","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-bf2b2d08","digest":{"threshold":0.9,"line_hashes":["248856889590144885621918607836282539025","44536510841965663279992936573567125690","5614311063228002728842156457546024868","286505572372986416403478625591453334143"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-12-01"}]}],"versions":["13"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/9f65d0158f853ca4571a7af155969f0081d79a49"],"vanir_signatures":[{"target":{"function":"InputDispatcher::findTouchedWindowTargetsLocked","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/9f65d0158f853ca4571a7af155969f0081d79a49","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-301952571-44b6301a","digest":{"length":11604,"function_hash":"55669835188213314027306847272836052850"}},{"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/9f65d0158f853ca4571a7af155969f0081d79a49","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-c6b4d22f","digest":{"threshold":0.9,"line_hashes":["108905384051329200733903586878036295580","177927706532921712772368279218975722500","216405314139094600963822921191872050443","219664331880740055396330504946416842747"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-12-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/0f849cfc111ebb8324bdf11039b4a5dc998feefa"],"vanir_signatures":[{"target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/transition/DefaultTransitionHandler.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/0f849cfc111ebb8324bdf11039b4a5dc998feefa","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-eaff47c8","digest":{"threshold":0.9,"line_hashes":["248856889590144885621918607836282539025","144531626938778448552179873240849072977","106039877743107897291918924499970282509","188457292567742801376067883879181012870"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-12-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/native/+/3c01b64e016060ce736a893922aec1f2ebca2995"],"vanir_signatures":[{"target":{"function":"InputDispatcher::canWindowReceiveMotionLocked","file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/3c01b64e016060ce736a893922aec1f2ebca2995","signature_version":"v1","deprecated":false,"signature_type":"Function","id":"ASB-A-301952571-39d8b960","digest":{"length":1546,"function_hash":"75330836211644953868411228713032159909"}},{"target":{"file":"services/inputflinger/dispatcher/InputDispatcher.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/3c01b64e016060ce736a893922aec1f2ebca2995","signature_version":"v1","deprecated":false,"signature_type":"Line","id":"ASB-A-301952571-e28b9735","digest":{"threshold":0.9,"line_hashes":["154201780020139837239759456663197568923","307574667483685234664799342826226447129","111512741543011694653014009302648536530"]}}],"spl":"2025-12-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-301952571.json"}}],"schema_version":"1.7.5"}