{"id":"ASB-A-354682735","details":"In InputMethodSubtypeArray of InputMethodSubtypeArray.java, there is a possible way to bypass a key intent check to launch arbitrary activity due to Parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-354682735","CVE-2024-49721"],"modified":"2026-04-22T14:59:17.843400Z","published":"2025-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/7714ccb85ed961083dcc97e230c71242c3422b5e"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-02-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-354682735-bdbd1edf","source":"https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["272945656874343307030929176821475903658","81868893111351473390432093093509595063","167685174330799183210139295969513440766","86278732709458178783488113640790302973","173153596735623192581762532373667618704","28096001934477478579716532119648919290"]},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"},"signature_version":"v1","signature_type":"Line"},{"id":"ASB-A-354682735-be65d1b2","source":"https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee","deprecated":false,"digest":{"length":172,"function_hash":"305048536457532374140609217407252405056"},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java","function":"InputMethodSubtypeArray"},"signature_version":"v1","signature_type":"Function"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-354682735.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12:0"},{"fixed":"12:2025-02-01"}]}],"versions":["12"],"ecosystem_specific":{"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-354682735-0e606605","source":"https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["272945656874343307030929176821475903658","81868893111351473390432093093509595063","167685174330799183210139295969513440766","86278732709458178783488113640790302973","173153596735623192581762532373667618704","28096001934477478579716532119648919290"]},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"},"signature_version":"v1","signature_type":"Line"},{"id":"ASB-A-354682735-c45dc737","source":"https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049","deprecated":false,"digest":{"length":172,"function_hash":"305048536457532374140609217407252405056"},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java","function":"InputMethodSubtypeArray"},"signature_version":"v1","signature_type":"Function"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-354682735.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"12L:0"},{"fixed":"12L:2025-02-01"}]}],"versions":["12L"],"ecosystem_specific":{"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-354682735-3dbe64c9","source":"https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["272945656874343307030929176821475903658","81868893111351473390432093093509595063","167685174330799183210139295969513440766","86278732709458178783488113640790302973","173153596735623192581762532373667618704","28096001934477478579716532119648919290"]},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"},"signature_version":"v1","signature_type":"Line"},{"id":"ASB-A-354682735-472f1e37","source":"https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208","deprecated":false,"digest":{"length":172,"function_hash":"305048536457532374140609217407252405056"},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java","function":"InputMethodSubtypeArray"},"signature_version":"v1","signature_type":"Function"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-354682735.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-02-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-354682735-68cfb5ee","source":"https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c","deprecated":false,"digest":{"length":172,"function_hash":"305048536457532374140609217407252405056"},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java","function":"InputMethodSubtypeArray"},"signature_version":"v1","signature_type":"Function"},{"id":"ASB-A-354682735-e128ab79","source":"https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["272945656874343307030929176821475903658","81868893111351473390432093093509595063","167685174330799183210139295969513440766","86278732709458178783488113640790302973","173153596735623192581762532373667618704","28096001934477478579716532119648919290"]},"target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"},"signature_version":"v1","signature_type":"Line"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-354682735.json"}}],"schema_version":"1.7.5"}