{"id":"ASB-A-378900798","details":"In handleKeyGestureEvent of PhoneWindowManager.java, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-378900798","CVE-2025-22434"],"modified":"2026-04-24T15:37:38.793646Z","published":"2025-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/2880f0ab2dc63dc6ea820afb79e9be523ecb7074"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-04-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-04-01","types":["EoP"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e","signature_type":"Line","id":"ASB-A-378900798-71cbfaba","signature_version":"v1","digest":{"line_hashes":["28959012149391887303789223419682196407","215127324013538836164832943935517447144","122346560820462425574650886488120941592","141147856498508908974573375085630678132","82978871960677067790497560000903917110","318962236996577307363230580472724364961","310334583965931542305255613790248446481","240426481127596124219141509960202155400"],"threshold":0.9},"deprecated":false,"target":{"file":"services/tests/wmtests/src/com/android/server/policy/TestPhoneWindowManager.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e","signature_type":"Line","id":"ASB-A-378900798-909dada6","signature_version":"v1","digest":{"line_hashes":["5828766274388516397566572745948822464","124632940938700056805077162839905099998","182912203242445935183955433600191947697","201858365207918023506002747891858575986","200726031119648814314848430492283690579","18898144419850499145640303968815291890","201253257454322719274508933938236405084","241777363525423794927680092799825515398","205707680570418314863727179338086639768","425236404571181564445548470422597295","148633512413854456895346780016781149739","284075078948593042391195242283249550160","192022396674133910526800760553630864562","39727040980124287229594313204547240278","221623086975130625870752093029597776387","80707218644163245194688901665023341486","242871270962377328135490985862290695100","73043268094597511653556206109848195832","326174678286568785741864515931416712752","37760316796022335458527079684903795326","4215683018465675134115717880758973220","145307013262920037754817676949053726931","108500933277267243668883735296037446108","105885099068052262622092640624525478891","219112832347519433113877361761481251523"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e","signature_type":"Function","id":"ASB-A-378900798-9efc74fe","signature_version":"v1","digest":{"function_hash":"66523745031589451048016083060354495390","length":12701},"deprecated":false,"target":{"function":"interceptSystemKeysAndShortcutsOld","file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e","signature_type":"Function","id":"ASB-A-378900798-f740cbeb","signature_version":"v1","digest":{"function_hash":"174129089617097500984247160286301691920","length":5646},"deprecated":false,"target":{"function":"handleKeyGestureEvent","file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-378900798.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-04-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-04-01","types":["EoP"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4","signature_type":"Function","id":"ASB-A-378900798-3e00b245","signature_version":"v1","digest":{"function_hash":"281206938812453495773924118125475532002","length":11747},"deprecated":false,"target":{"function":"interceptSystemKeysAndShortcuts","file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4","signature_type":"Line","id":"ASB-A-378900798-4a044bb8","signature_version":"v1","digest":{"line_hashes":["5828766274388516397566572745948822464","124632940938700056805077162839905099998","185055474619527747241625598921442687391","322705238235269899514175635159589048835"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-378900798.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-04-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-04-01","types":["EoP"],"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4","signature_type":"Function","id":"ASB-A-378900798-d7dc3cd8","signature_version":"v1","digest":{"function_hash":"310739601641574088625821270794126574556","length":9261},"deprecated":false,"target":{"function":"interceptKeyBeforeDispatching","file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4","signature_type":"Line","id":"ASB-A-378900798-e56a5138","signature_version":"v1","digest":{"line_hashes":["297821185608581471747983514677418212304","241564979252892164497298041986132519504","22612875316046615395319571399059617069","235875679742249690051929597598037858457"],"threshold":0.9},"deprecated":false,"target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-378900798.json"}}],"schema_version":"1.7.5"}