{"id":"ASB-A-310632322","details":"In BroadcastController.java of registerReceiverWithFeatureTraced, there is a possible way to receive broadcasts meant for the \"android\" package due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-310632322","CVE-2025-26426"],"modified":"2026-05-28T15:16:54.500952700Z","published":"2025-05-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-05-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/475f9914f71641f0eedc4a8412cf48f49290a60c"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/99aae825ded253fe58695ceb853f2f631137f1c4"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-05-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-05-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0e91977c4ebfdfe4e2124373d22f99dfe211a06b"],"severity":"High","vanir_signatures":[{"signature_type":"Line","id":"ASB-A-310632322-5343e828","target":{"file":"services/core/java/com/android/server/am/BroadcastController.java"},"digest":{"threshold":0.9,"line_hashes":["78920828487289343444354263559440691708","161551587904927743660170258268839912466","299900998363379098184580588787617290862","96907630862398053829500626026911283495","25777738941556898659018170680846418808"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/0e91977c4ebfdfe4e2124373d22f99dfe211a06b","signature_version":"v1","deprecated":false},{"signature_type":"Function","id":"ASB-A-310632322-7fa6b466","signature_version":"v1","digest":{"length":8272,"function_hash":"113816175393555925411448803840263536782"},"source":"https://android.googlesource.com/platform/frameworks/base/+/0e91977c4ebfdfe4e2124373d22f99dfe211a06b","target":{"function":"registerReceiverWithFeatureTraced","file":"services/core/java/com/android/server/am/BroadcastController.java"},"deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-310632322.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-05-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/da489e4fb5c9f8f322538fb6877f971856e7787e","https://android.googlesource.com/platform/frameworks/base/+/a49d3c13aac1aa7d258665e14d8e5cc2ff7638df"],"types":["EoP"],"severity":"High","vanir_signatures":[{"signature_type":"Function","id":"ASB-A-310632322-56a451aa","target":{"function":"registerReceiverWithFeatureTraced","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"digest":{"length":8209,"function_hash":"146737399782776354467801637207932017577"},"source":"https://android.googlesource.com/platform/frameworks/base/+/da489e4fb5c9f8f322538fb6877f971856e7787e","signature_version":"v1","deprecated":false},{"signature_type":"Line","id":"ASB-A-310632322-712f3828","target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["78920828487289343444354263559440691708","161551587904927743660170258268839912466","299900998363379098184580588787617290862","96907630862398053829500626026911283495","25777738941556898659018170680846418808"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/da489e4fb5c9f8f322538fb6877f971856e7787e","signature_version":"v1","deprecated":false},{"signature_type":"Line","match_only_versions":["15"],"source":"https://android.googlesource.com/platform/frameworks/base/+/a49d3c13aac1aa7d258665e14d8e5cc2ff7638df","digest":{"threshold":0.9,"line_hashes":["146920088912323429608733812733026184786","287155211863119620678037722781452293840","220727132240116226747682045160591348975","119627214757814213501603885775267073188"]},"signature_version":"v1","id":"ASB-A-310632322-c8f6ad22","target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false},{"signature_type":"Function","id":"ASB-A-310632322-e78c151b","source":"https://android.googlesource.com/platform/frameworks/base/+/a49d3c13aac1aa7d258665e14d8e5cc2ff7638df","digest":{"length":8173,"function_hash":"161232310663260284934164549120414750265"},"signature_version":"v1","target":{"function":"registerReceiverWithFeatureTraced","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-310632322.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-05-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1db6b990eaa47938c24063991c64e4ee608d362b","https://android.googlesource.com/platform/frameworks/base/+/e690fb63636409ae64dcb88df4cc87c7c2850619"],"types":["EoP"],"severity":"High","vanir_signatures":[{"signature_type":"Function","id":"ASB-A-310632322-22b4eb3a","signature_version":"v1","digest":{"length":6276,"function_hash":"94852590360102562081247224617585651546"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e690fb63636409ae64dcb88df4cc87c7c2850619","target":{"function":"registerReceiverWithFeature","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false},{"signature_type":"Function","id":"ASB-A-310632322-42a5f962","signature_version":"v1","digest":{"length":6312,"function_hash":"252149787302657495670487162934060411901"},"source":"https://android.googlesource.com/platform/frameworks/base/+/1db6b990eaa47938c24063991c64e4ee608d362b","target":{"function":"registerReceiverWithFeature","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false},{"signature_type":"Line","id":"ASB-A-310632322-4e8c97ac","source":"https://android.googlesource.com/platform/frameworks/base/+/e690fb63636409ae64dcb88df4cc87c7c2850619","digest":{"threshold":0.9,"line_hashes":["141290328006033960389295247434202981799","329741114504229128855395715588367363533","220727132240116226747682045160591348975","119627214757814213501603885775267073188"]},"signature_version":"v1","target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false},{"signature_type":"Line","id":"ASB-A-310632322-fc6f2a3b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["14398641098436164184208260927304032713","161551587904927743660170258268839912466","299900998363379098184580588787617290862","96907630862398053829500626026911283495","25777738941556898659018170680846418808"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/1db6b990eaa47938c24063991c64e4ee608d362b","target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-310632322.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-05-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-05-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/3ae94b0da53aed63380263131795746b12296391","https://android.googlesource.com/platform/frameworks/base/+/d1b79a295aa83e389b903c5354eb33e787801997"],"types":["EoP"],"severity":"High","vanir_signatures":[{"signature_type":"Line","id":"ASB-A-310632322-1128f93c","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["78920828487289343444354263559440691708","161551587904927743660170258268839912466","299900998363379098184580588787617290862","96907630862398053829500626026911283495","25777738941556898659018170680846418808"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/3ae94b0da53aed63380263131795746b12296391","target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false},{"signature_type":"Function","id":"ASB-A-310632322-85a427cd","signature_version":"v1","digest":{"length":7857,"function_hash":"62315480724415764454310078696897008343"},"target":{"function":"registerReceiverWithFeature","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/3ae94b0da53aed63380263131795746b12296391","deprecated":false},{"signature_type":"Line","match_only_versions":["14"],"source":"https://android.googlesource.com/platform/frameworks/base/+/d1b79a295aa83e389b903c5354eb33e787801997","digest":{"threshold":0.9,"line_hashes":["146920088912323429608733812733026184786","287155211863119620678037722781452293840","220727132240116226747682045160591348975","119627214757814213501603885775267073188"]},"target":{"file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"id":"ASB-A-310632322-e7096967","signature_version":"v1","deprecated":false},{"signature_type":"Function","id":"ASB-A-310632322-ff6f96b6","signature_version":"v1","digest":{"length":7821,"function_hash":"70884704147072818808108067781972915585"},"source":"https://android.googlesource.com/platform/frameworks/base/+/d1b79a295aa83e389b903c5354eb33e787801997","target":{"function":"registerReceiverWithFeature","file":"services/core/java/com/android/server/am/ActivityManagerService.java"},"deprecated":false}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-310632322.json"}}],"schema_version":"1.7.5"}