{"id":"ASB-A-383080440","details":"In loadDrawableForCookie of ResourcesImpl.java, there is a possible way to access task snapshots of other apps due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-383080440","CVE-2025-26452"],"modified":"2026-05-25T16:46:24.913870386Z","published":"2025-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/37a272435a238d8ca312b3ffeacac7dc348905e7"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-06-01"}]}],"versions":["16-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/12e49e7a4e56df4dce97f80051063f45e8366329"],"spl":"2025-06-01","severity":"High","vanir_signatures":[{"target":{"function":"overlayPathToIdmapPath","file":"core/java/android/app/ResourcesManager.java"},"deprecated":false,"match_only_versions":["16-next"],"signature_version":"v1","digest":{"function_hash":"302366377958737841105826066030451941814","length":128},"signature_type":"Function","id":"ASB-A-383080440-6dec3b90","source":"https://android.googlesource.com/platform/frameworks/base/+/12e49e7a4e56df4dce97f80051063f45e8366329"},{"source":"https://android.googlesource.com/platform/frameworks/base/+/12e49e7a4e56df4dce97f80051063f45e8366329","target":{"function":"loadDrawableForCookie","file":"core/java/android/content/res/ResourcesImpl.java"},"signature_type":"Function","deprecated":false,"id":"ASB-A-383080440-ec5fc01d","signature_version":"v1","digest":{"length":2147,"function_hash":"170737210148046765503868115839854607973"}},{"id":"ASB-A-383080440-f8902f93","target":{"file":"core/java/android/app/ResourcesManager.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/12e49e7a4e56df4dce97f80051063f45e8366329","deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["278612898363312133116596281562306632680","127752595642084618430372120396150799618","111349714115363387205197335069424543158","287343744169020493158913040420744318003","59587149499950042942530243573511868237","171055740057872187214972475201041343310","108674448048338131290289547941634429018","175953075435211722100163960562646964412"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/12e49e7a4e56df4dce97f80051063f45e8366329","target":{"file":"core/java/android/content/res/ResourcesImpl.java"},"id":"ASB-A-383080440-fc69b56e","deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["278137568367005064522073939807701354465","136516853288694642942077550319910692589","111161983671489352532935922247924486040","335172869098211592555544281669138186096","253022262588738185990163276230521945769","19833683735931779814117961250965352658","132195445436402799784144644215127859352","339586214599977275303256476415713255829","40547039475665745567004202107322798247","313956323210299805317391394912630880758","58080783549927857446827593027643735772","196940782235051198726391733068278746997"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-383080440.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-06-01"}]}],"versions":["15"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2de1592713696d56d160b14959ddf1fadfa256bf"],"spl":"2025-06-01","severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/2de1592713696d56d160b14959ddf1fadfa256bf","target":{"function":"loadDrawableForCookie","file":"core/java/android/content/res/ResourcesImpl.java"},"signature_type":"Function","deprecated":false,"id":"ASB-A-383080440-5f1d76d5","signature_version":"v1","digest":{"length":2147,"function_hash":"170737210148046765503868115839854607973"}},{"target":{"file":"core/java/android/app/ResourcesManager.java"},"deprecated":false,"match_only_versions":["15"],"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["334638622433126471067189111576476221856","223151087782806112667992992784696869956","219501797107295260289399189271964702260","290188987086763958324837165201410355981","59587149499950042942530243573511868237","171055740057872187214972475201041343310","133230678999781434348425027764230835917","339585079440473761590071588723514971541"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/2de1592713696d56d160b14959ddf1fadfa256bf","signature_type":"Line","id":"ASB-A-383080440-7410b02e"},{"target":{"function":"overlayPathToIdmapPath","file":"core/java/android/app/ResourcesManager.java"},"deprecated":false,"match_only_versions":["15"],"signature_version":"v1","digest":{"length":128,"function_hash":"302366377958737841105826066030451941814"},"signature_type":"Function","id":"ASB-A-383080440-b3258812","source":"https://android.googlesource.com/platform/frameworks/base/+/2de1592713696d56d160b14959ddf1fadfa256bf"},{"id":"ASB-A-383080440-d4192103","target":{"file":"core/java/android/content/res/ResourcesImpl.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2de1592713696d56d160b14959ddf1fadfa256bf","deprecated":false,"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["278137568367005064522073939807701354465","136516853288694642942077550319910692589","111161983671489352532935922247924486040","335172869098211592555544281669138186096","253022262588738185990163276230521945769","19833683735931779814117961250965352658","132195445436402799784144644215127859352","339586214599977275303256476415713255829","40547039475665745567004202107322798247","313956323210299805317391394912630880758","58080783549927857446827593027643735772","196940782235051198726391733068278746997"]}}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-383080440.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-06-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2ff8b4aef08bbc1e84af35404846026eca3cbd5c"],"spl":"2025-06-01","severity":"High","vanir_signatures":[{"target":{"function":"overlayPathToIdmapPath","file":"core/java/android/app/ResourcesManager.java"},"deprecated":false,"match_only_versions":["14"],"signature_version":"v1","digest":{"function_hash":"302366377958737841105826066030451941814","length":128},"id":"ASB-A-383080440-0c47eac1","source":"https://android.googlesource.com/platform/frameworks/base/+/2ff8b4aef08bbc1e84af35404846026eca3cbd5c","signature_type":"Function"},{"signature_type":"Line","target":{"file":"core/java/android/content/res/ResourcesImpl.java"},"id":"ASB-A-383080440-46a9558c","deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/base/+/2ff8b4aef08bbc1e84af35404846026eca3cbd5c","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["193538695188391609517026744151731390407","293402991944039278828489530765797128211","272540874156039003051819665366724482245","156411806556529448444656332384462532491","278137568367005064522073939807701354465","136516853288694642942077550319910692589","111161983671489352532935922247924486040","335172869098211592555544281669138186096","253022262588738185990163276230521945769","19833683735931779814117961250965352658","132195445436402799784144644215127859352","339586214599977275303256476415713255829","40547039475665745567004202107322798247","313956323210299805317391394912630880758","58080783549927857446827593027643735772","196940782235051198726391733068278746997"]}},{"source":"https://android.googlesource.com/platform/frameworks/base/+/2ff8b4aef08bbc1e84af35404846026eca3cbd5c","target":{"function":"loadDrawableForCookie","file":"core/java/android/content/res/ResourcesImpl.java"},"signature_type":"Function","deprecated":false,"id":"ASB-A-383080440-5805259c","signature_version":"v1","digest":{"length":2147,"function_hash":"170737210148046765503868115839854607973"}},{"target":{"file":"core/java/android/app/ResourcesManager.java"},"deprecated":false,"match_only_versions":["14"],"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["334638622433126471067189111576476221856","223151087782806112667992992784696869956","219501797107295260289399189271964702260","290188987086763958324837165201410355981","59587149499950042942530243573511868237","171055740057872187214972475201041343310","133230678999781434348425027764230835917","339585079440473761590071588723514971541"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/2ff8b4aef08bbc1e84af35404846026eca3cbd5c","id":"ASB-A-383080440-bd181f67","signature_type":"Line"}]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-383080440.json"}}],"schema_version":"1.7.5"}