{"id":"ASB-A-388480622","details":"In initializeSwizzler of SkBmpStandardCodec.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-388480622","CVE-2025-26416"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-04-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-04-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/skia/+/fc2ebb312c5898486776df981a51c2bb90e3756d"}],"affected":[{"package":{"name":"platform/external/skia","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15-next:0"},{"fixed":"15-next:2025-04-01"}]}],"versions":["15-next"],"ecosystem_specific":{"spl":"2025-04-01","vanir_signatures":[{"signature_version":"v1","signature_type":"Function","id":"ASB-A-388480622-095f111b","source":"https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311","deprecated":false,"digest":{"function_hash":"177561997836789650145611253905413223099","length":549},"target":{"file":"src/codec/SkBmpStandardCodec.cpp","function":"SkBmpStandardCodec::initializeSwizzler"}},{"signature_version":"v1","signature_type":"Line","id":"ASB-A-388480622-dba6be3b","source":"https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["286849986559465055291989942090731074382","52764690829941560468026037836866162379","113349593332524221481260156528832118053","78828537805330186747886145317844987192"]},"target":{"file":"src/codec/SkBmpStandardCodec.cpp"}}],"severity":"Critical","fixes":["https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-388480622.json"}},{"package":{"name":"platform/external/skia","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-04-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2025-04-01","vanir_signatures":[{"signature_version":"v1","signature_type":"Line","id":"ASB-A-388480622-4f2393fe","source":"https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["286849986559465055291989942090731074382","52764690829941560468026037836866162379","113349593332524221481260156528832118053","78828537805330186747886145317844987192"]},"target":{"file":"src/codec/SkBmpStandardCodec.cpp"}},{"signature_version":"v1","signature_type":"Function","id":"ASB-A-388480622-bc9521d9","source":"https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311","deprecated":false,"digest":{"function_hash":"177561997836789650145611253905413223099","length":549},"target":{"file":"src/codec/SkBmpStandardCodec.cpp","function":"SkBmpStandardCodec::initializeSwizzler"}}],"severity":"Critical","fixes":["https://android.googlesource.com/platform/external/skia/+/bfae9080f53da925d53c24537e901a5015aa9311"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-388480622.json"}},{"package":{"name":"platform/external/skia","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-04-01"}]}],"versions":["13"],"ecosystem_specific":{"spl":"2025-04-01","vanir_signatures":[{"signature_version":"v1","signature_type":"Function","id":"ASB-A-388480622-5379d2f2","source":"https://android.googlesource.com/platform/external/skia/+/d44bab0332f621d653fc398243e287f290fc0c24","deprecated":false,"digest":{"function_hash":"177561997836789650145611253905413223099","length":549},"target":{"file":"src/codec/SkBmpStandardCodec.cpp","function":"SkBmpStandardCodec::initializeSwizzler"}},{"signature_version":"v1","signature_type":"Line","id":"ASB-A-388480622-f8972a36","source":"https://android.googlesource.com/platform/external/skia/+/d44bab0332f621d653fc398243e287f290fc0c24","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["286849986559465055291989942090731074382","52764690829941560468026037836866162379","113349593332524221481260156528832118053","78828537805330186747886145317844987192"]},"target":{"file":"src/codec/SkBmpStandardCodec.cpp"}}],"severity":"Critical","fixes":["https://android.googlesource.com/platform/external/skia/+/d44bab0332f621d653fc398243e287f290fc0c24"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-388480622.json"}},{"package":{"name":"platform/external/skia","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-04-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2025-04-01","vanir_signatures":[{"signature_version":"v1","signature_type":"Line","id":"ASB-A-388480622-b1904a95","source":"https://android.googlesource.com/platform/external/skia/+/c58deb210e62cf57de91b0eb8844b782fc774135","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["286849986559465055291989942090731074382","52764690829941560468026037836866162379","113349593332524221481260156528832118053","78828537805330186747886145317844987192"]},"target":{"file":"src/codec/SkBmpStandardCodec.cpp"}},{"signature_version":"v1","signature_type":"Function","id":"ASB-A-388480622-ba5dc137","source":"https://android.googlesource.com/platform/external/skia/+/c58deb210e62cf57de91b0eb8844b782fc774135","deprecated":false,"digest":{"function_hash":"177561997836789650145611253905413223099","length":549},"target":{"file":"src/codec/SkBmpStandardCodec.cpp","function":"SkBmpStandardCodec::initializeSwizzler"}}],"severity":"Critical","fixes":["https://android.googlesource.com/platform/external/skia/+/c58deb210e62cf57de91b0eb8844b782fc774135"],"types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-388480622.json"}}],"schema_version":"1.7.5"}