{"id":"ASB-A-364037868","details":"In transferTouchGesture of WindowManagerService.java , there is a possible way to steal sensitive user input due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-364037868","CVE-2025-0097"],"modified":"2026-06-12T15:08:17.296522730Z","published":"2025-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/a4a8fca641b0671a8c1d2bb3857dc5fc40d01704"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-02-01"}]}],"versions":["15-next"],"ecosystem_specific":{"severity":"High","spl":"2025-02-01","vanir_signatures":[{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","signature_type":"Line","id":"ASB-A-364037868-077cecf4","digest":{"threshold":0.9,"line_hashes":["112163142825728286601376570101662734826","198441187844705953367518297218540333074","27331201922488527444348889345726650391","331293015077808543825935324836865827489","254620039880769067733808519606851641442","249953778221520835274907734933176820132","319969177551915669436124824182656977126","330455908732409693530174754088748729867","223257893106326682952811327007970127244","165295942820653251744689007900262988486","339867398381699969324056806102280831554","62627831524365546532846835358761752800","328988828590961588487264174790097211293","248873313261974045040769010167705224854","318989329479115589579834466806717562644","196663899505510187640273103465328812632","7110775924930340699819996708845965063","127177807673808879272973357402922359345"]},"target":{"file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"}},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","signature_type":"Function","id":"ASB-A-364037868-79092008","digest":{"length":243,"function_hash":"83810895922488579077428771457198824121"},"target":{"function":"transferToEmbedded","file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"}},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","signature_type":"Function","id":"ASB-A-364037868-85489d9f","digest":{"function_hash":"164054265702367327672522119214234173400","length":247},"target":{"function":"transferToHost","file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"}},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"digest":{"threshold":0.9,"line_hashes":["181108224164417289212662977271542690331","216736795130174833053450470557661182606","215186634025237061605494072778302230103","225791094088381205436562372308971221840","22889836881209034311231057490029027386","182136170710394038548729869525887337764","332135305770684805640646991324853200199","3595737875289616547646003412729253565","137029592712009112373773104562906111147","224324049306989509769718368863998371337","235365628243456370451281111157950868873","43211814438570816332155080524257449205","27006274758510872070366092813070533912","73535199168703535995551755658540598115","45103882340012321970988861038420164399","7131532624119669257814056485339276521"]},"id":"ASB-A-364037868-92a8d311"},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","signature_type":"Function","id":"ASB-A-364037868-ac5c1030","digest":{"function_hash":"223722273761691818931384484457924667470","length":568},"target":{"function":"transferTouchGesture","file":"services/core/java/com/android/server/wm/WindowManagerService.java"}},{"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912","id":"ASB-A-364037868-f8ef5a79","digest":{"length":910,"function_hash":"192057271889427299029746959248646603949"},"target":{"function":"grantInputChannel","file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/ea329372d8426c6cdbc2d5570c10bef1003d9912"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364037868.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-02-01"}]}],"versions":["15"],"ecosystem_specific":{"severity":"High","spl":"2025-02-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356"],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","signature_type":"Line","id":"ASB-A-364037868-524896c0","digest":{"line_hashes":["112163142825728286601376570101662734826","198441187844705953367518297218540333074","27331201922488527444348889345726650391","331293015077808543825935324836865827489","254620039880769067733808519606851641442","249953778221520835274907734933176820132","319969177551915669436124824182656977126","330455908732409693530174754088748729867","223257893106326682952811327007970127244","165295942820653251744689007900262988486","339867398381699969324056806102280831554","62627831524365546532846835358761752800","328988828590961588487264174790097211293","248873313261974045040769010167705224854","318989329479115589579834466806717562644","196663899505510187640273103465328812632","7110775924930340699819996708845965063","127177807673808879272973357402922359345"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"}},{"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","id":"ASB-A-364037868-aa6ace9d","digest":{"length":910,"function_hash":"192057271889427299029746959248646603949"},"target":{"function":"grantInputChannel","file":"services/core/java/com/android/server/wm/WindowManagerService.java"}},{"signature_version":"v1","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","id":"ASB-A-364037868-ae35eff7","digest":{"length":243,"function_hash":"83810895922488579077428771457198824121"},"target":{"function":"transferToEmbedded","file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"}},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","signature_type":"Function","target":{"function":"transferToHost","file":"services/core/java/com/android/server/wm/EmbeddedWindowController.java"},"digest":{"length":247,"function_hash":"164054265702367327672522119214234173400"},"id":"ASB-A-364037868-c1c0b340"},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","signature_type":"Function","target":{"function":"transferTouchGesture","file":"services/core/java/com/android/server/wm/WindowManagerService.java"},"digest":{"length":568,"function_hash":"223722273761691818931384484457924667470"},"id":"ASB-A-364037868-c30e2726"},{"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/4089c359361d8703bab3be0ab0a29723db76b356","signature_type":"Line","id":"ASB-A-364037868-f7c22191","digest":{"line_hashes":["181108224164417289212662977271542690331","216736795130174833053450470557661182606","215186634025237061605494072778302230103","225791094088381205436562372308971221840","22889836881209034311231057490029027386","182136170710394038548729869525887337764","332135305770684805640646991324853200199","3595737875289616547646003412729253565","137029592712009112373773104562906111147","224324049306989509769718368863998371337","235365628243456370451281111157950868873","43211814438570816332155080524257449205","27006274758510872070366092813070533912","73535199168703535995551755658540598115","45103882340012321970988861038420164399","7131532624119669257814056485339276521"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-364037868.json"}}],"schema_version":"1.7.5"}