{"id":"ASB-A-417195606","details":"In multiple functions of MediaProvider.java, there is a possible external storage write permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-417195606","CVE-2025-48579"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/7ea0a039ec32fcd6477355431b953f4689a2fa61"}],"affected":[{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["157008262511666817509664268140295072205","340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","141625541906072031225061328149433762461","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-648256df","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b"},{"digest":{"length":11920,"function_hash":"145389143715353340976887769248962519906"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-87a639d9","target":{"function":"updateInternal","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b"},{"digest":{"length":1500,"function_hash":"302616573519657844830296422326247535450"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-e7f0e78d","target":{"function":"getResultForGetMediaUri","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b"}],"spl":"2026-03-01","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b"],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417195606.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-06a2b15c","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67"},{"digest":{"length":1280,"function_hash":"91962688363124041771487770172171075718"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-a19aaa74","target":{"function":"getResultForGetMediaUri","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67"},{"digest":{"length":11594,"function_hash":"289346420551521676399412182515700069900"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-a9f3fff6","target":{"function":"updateInternal","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67"}],"spl":"2026-03-01","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67"],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417195606.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":11894,"function_hash":"252859413699993422588117712992192386126"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-35f2370d","target":{"function":"updateInternal","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527"},{"digest":{"line_hashes":["340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-7042ff3e","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527"},{"digest":{"length":1280,"function_hash":"91962688363124041771487770172171075718"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-f4d3b9f5","target":{"function":"getResultForGetMediaUri","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527"}],"spl":"2026-03-01","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527"],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417195606.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"length":11655,"function_hash":"173341845250437689172274271489378931118"},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-033ccb4c","target":{"function":"updateInternal","file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3"},{"digest":{"line_hashes":["105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"],"threshold":0.9},"signature_version":"v1","deprecated":false,"id":"ASB-A-417195606-049d83b7","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3"}],"spl":"2026-03-01","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3"],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417195606.json"}}],"schema_version":"1.7.5"}