{"id":"ASB-A-351830787","details":"In setUserDisclaimerAcknowledged of CarDevicePolicyService.java, there is a possible way to bypass the user dialog when adding an account to a managed device due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-351830787","CVE-2025-26418"],"modified":"2026-06-16T15:04:57.126039127Z","published":"2026-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-06-01"}],"affected":[{"package":{"name":"platform/packages/services/Car","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"17-next:0"},{"fixed":"17-next:2026-06-01"}]}],"versions":["17-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/services/Car/+/1111e31c89e9ed293f1c6947d29819ec85ab1079"],"severity":"High","spl":"2026-06-01","types":["EoP"],"vanir_signatures":[{"digest":{"line_hashes":["44767551250258431031953702734849958369","34130837925024244807862389383809247798","180249908577208746982286680634614732620","18667617509951792667757384290115491433","159776508980834853746518633739865254468","267988298681156892568840090451634773194"],"threshold":0.9},"signature_version":"v1","signature_type":"Line","id":"ASB-A-351830787-3d541c4b","deprecated":false,"source":"https://android.googlesource.com/platform/packages/services/Car/+/1111e31c89e9ed293f1c6947d29819ec85ab1079","target":{"file":"service/src/com/android/car/admin/CarDevicePolicyService.java"}},{"digest":{"function_hash":"308408089892732137531149246928219734430","length":321},"signature_type":"Function","deprecated":false,"id":"ASB-A-351830787-4a4aacec","target":{"function":"setUserDisclaimerAcknowledged","file":"service/src/com/android/car/admin/CarDevicePolicyService.java"},"source":"https://android.googlesource.com/platform/packages/services/Car/+/1111e31c89e9ed293f1c6947d29819ec85ab1079","signature_version":"v1"},{"digest":{"line_hashes":["215098601854161687189435224539068469883","190999509749522505711905941354774094166","16176578470122675511107209725921522241"],"threshold":0.9},"source":"https://android.googlesource.com/platform/packages/services/Car/+/1111e31c89e9ed293f1c6947d29819ec85ab1079","signature_version":"v1","id":"ASB-A-351830787-f64aa601","signature_type":"Line","deprecated":false,"target":{"file":"car-lib/src/android/car/admin/CarDevicePolicyManager.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-351830787.json"}},{"package":{"name":"platform/packages/services/Car","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-06-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/services/Car/+/6b03abf9c9dbbc35dfd2e64df31f7d19e77445d8"],"severity":"High","spl":"2026-06-01","types":["EoP"],"vanir_signatures":[{"digest":{"function_hash":"308408089892732137531149246928219734430","length":321},"target":{"function":"setUserDisclaimerAcknowledged","file":"service/src/com/android/car/admin/CarDevicePolicyService.java"},"deprecated":false,"id":"ASB-A-351830787-597275c2","source":"https://android.googlesource.com/platform/packages/services/Car/+/6b03abf9c9dbbc35dfd2e64df31f7d19e77445d8","signature_type":"Function","signature_version":"v1"},{"digest":{"line_hashes":["44767551250258431031953702734849958369","34130837925024244807862389383809247798","180249908577208746982286680634614732620","18667617509951792667757384290115491433","159776508980834853746518633739865254468","267988298681156892568840090451634773194"],"threshold":0.9},"target":{"file":"service/src/com/android/car/admin/CarDevicePolicyService.java"},"deprecated":false,"id":"ASB-A-351830787-90adb68d","source":"https://android.googlesource.com/platform/packages/services/Car/+/6b03abf9c9dbbc35dfd2e64df31f7d19e77445d8","signature_type":"Line","signature_version":"v1"},{"digest":{"line_hashes":["215098601854161687189435224539068469883","190999509749522505711905941354774094166","16176578470122675511107209725921522241"],"threshold":0.9},"target":{"file":"car-lib/src/android/car/admin/CarDevicePolicyManager.java"},"deprecated":false,"id":"ASB-A-351830787-ca50f5cf","source":"https://android.googlesource.com/platform/packages/services/Car/+/6b03abf9c9dbbc35dfd2e64df31f7d19e77445d8","signature_type":"Line","signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-351830787.json"}},{"package":{"name":"platform/packages/services/Car","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-06-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/services/Car/+/dd8e3f0ca750fd170e4afce0cbf2a9323c43dfe5"],"severity":"High","spl":"2026-06-01","types":["EoP"],"vanir_signatures":[{"digest":{"line_hashes":["44767551250258431031953702734849958369","34130837925024244807862389383809247798","180249908577208746982286680634614732620","18667617509951792667757384290115491433","159776508980834853746518633739865254468","267988298681156892568840090451634773194"],"threshold":0.9},"source":"https://android.googlesource.com/platform/packages/services/Car/+/dd8e3f0ca750fd170e4afce0cbf2a9323c43dfe5","signature_version":"v1","id":"ASB-A-351830787-5aad9a21","signature_type":"Line","deprecated":false,"target":{"file":"service/src/com/android/car/admin/CarDevicePolicyService.java"}},{"digest":{"line_hashes":["131657575367300493001464047003608493032","315708547886175091876824329512086417344","172507282698332647779934886591643831999"],"threshold":0.9},"target":{"file":"car-lib/src/android/car/admin/CarDevicePolicyManager.java"},"deprecated":false,"id":"ASB-A-351830787-b7230511","source":"https://android.googlesource.com/platform/packages/services/Car/+/dd8e3f0ca750fd170e4afce0cbf2a9323c43dfe5","signature_type":"Line","signature_version":"v1"},{"digest":{"function_hash":"308408089892732137531149246928219734430","length":321},"target":{"function":"setUserDisclaimerAcknowledged","file":"service/src/com/android/car/admin/CarDevicePolicyService.java"},"deprecated":false,"id":"ASB-A-351830787-e6706f83","source":"https://android.googlesource.com/platform/packages/services/Car/+/dd8e3f0ca750fd170e4afce0cbf2a9323c43dfe5","signature_type":"Function","signature_version":"v1"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-351830787.json"}}],"schema_version":"1.7.5"}