{"id":"ASB-A-370962373","details":"In multiple functions of CompanionDeviceManagerService.java, there is a possible way to grant permissions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-370962373","CVE-2025-0099"],"modified":"2026-06-12T15:08:17.296522730Z","published":"2025-02-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-02-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/7946586c33503bc383403faec48ffcea39e365ac"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-02-01"}]}],"versions":["15-next"],"ecosystem_specific":{"severity":"High","types":["EoP"],"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/692cddfb32abae6c77b00c4850fd36b7eaaf8c70"],"vanir_signatures":[{"signature_type":"Function","id":"ASB-A-370962373-4d8f6a46","digest":{"length":88,"function_hash":"4240526573347741701383026480308334057"},"target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java","function":"getBackupPayload"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/692cddfb32abae6c77b00c4850fd36b7eaaf8c70","signature_version":"v1"},{"signature_type":"Function","id":"ASB-A-370962373-8d778d54","digest":{"length":103,"function_hash":"80749470785317375633430002806464151928"},"target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java","function":"applyRestoredPayload"},"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/692cddfb32abae6c77b00c4850fd36b7eaaf8c70","signature_version":"v1"},{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/692cddfb32abae6c77b00c4850fd36b7eaaf8c70","digest":{"threshold":0.9,"line_hashes":["335960718412907313367981356592162676942","263110392768386747985260879713506925328","332552674595931601156312424344457584492","236120831168666863532369763580178696761","265220646878657219400273228719965943057","330360416465372736820418429089610892518","316352562444567643242223542801087355968","191425971114102596495062438571726966520"]},"target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-370962373-c33fc108"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-370962373.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-02-01"}]}],"versions":["15"],"ecosystem_specific":{"severity":"High","types":["EoP"],"spl":"2025-02-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/191638ababfc5b03d63264b8932c5903f18543ba"],"vanir_signatures":[{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/191638ababfc5b03d63264b8932c5903f18543ba","digest":{"threshold":0.9,"line_hashes":["335960718412907313367981356592162676942","263110392768386747985260879713506925328","332552674595931601156312424344457584492","236120831168666863532369763580178696761","265220646878657219400273228719965943057","330360416465372736820418429089610892518","316352562444567643242223542801087355968","191425971114102596495062438571726966520"]},"target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false,"signature_version":"v1","id":"ASB-A-370962373-0485d22c"},{"signature_type":"Function","id":"ASB-A-370962373-acd7e42f","signature_version":"v1","target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java","function":"getBackupPayload"},"deprecated":false,"digest":{"length":88,"function_hash":"4240526573347741701383026480308334057"},"source":"https://android.googlesource.com/platform/frameworks/base/+/191638ababfc5b03d63264b8932c5903f18543ba"},{"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/191638ababfc5b03d63264b8932c5903f18543ba","digest":{"length":103,"function_hash":"80749470785317375633430002806464151928"},"target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java","function":"applyRestoredPayload"},"deprecated":false,"signature_version":"v1","id":"ASB-A-370962373-cc532a2c"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-370962373.json"}}],"schema_version":"1.7.5"}