{"id":"ASB-A-418225717","details":"In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-418225717","CVE-2025-48578"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/7ea0a039ec32fcd6477355431b953f4689a2fa61"}],"affected":[{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b"],"vanir_signatures":[{"id":"ASB-A-418225717-648256df","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["157008262511666817509664268140295072205","340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","141625541906072031225061328149433762461","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"]},"signature_version":"v1"},{"id":"ASB-A-418225717-87a639d9","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"updateInternal"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b","deprecated":false,"signature_type":"Function","digest":{"function_hash":"145389143715353340976887769248962519906","length":11920},"signature_version":"v1"},{"id":"ASB-A-418225717-e7f0e78d","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"getResultForGetMediaUri"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/bb834ffbc6bbede6ca1ad49ca1301e6e567c551b","deprecated":false,"signature_type":"Function","digest":{"function_hash":"302616573519657844830296422326247535450","length":1500},"signature_version":"v1"}],"spl":"2026-03-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418225717.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67"],"vanir_signatures":[{"id":"ASB-A-418225717-06a2b15c","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"]},"signature_version":"v1"},{"id":"ASB-A-418225717-a19aaa74","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"getResultForGetMediaUri"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67","deprecated":false,"signature_type":"Function","digest":{"function_hash":"91962688363124041771487770172171075718","length":1280},"signature_version":"v1"},{"id":"ASB-A-418225717-a9f3fff6","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"updateInternal"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/594de7bc81b3a510a4fa6ef17f4981e22fc05c67","deprecated":false,"signature_type":"Function","digest":{"function_hash":"289346420551521676399412182515700069900","length":11594},"signature_version":"v1"}],"spl":"2026-03-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418225717.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527"],"vanir_signatures":[{"id":"ASB-A-418225717-35f2370d","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"updateInternal"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527","deprecated":false,"signature_type":"Function","digest":{"function_hash":"252859413699993422588117712992192386126","length":11894},"signature_version":"v1"},{"id":"ASB-A-418225717-7042ff3e","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["340256004154136506690278408790561081844","221300492259721940217838245087518561287","22731703843265273253419147521500510308","330550544592204249471665078156016999844","105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"]},"signature_version":"v1"},{"id":"ASB-A-418225717-f4d3b9f5","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"getResultForGetMediaUri"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/9c184d461fd647178bea74450cf4c3e2643f9527","deprecated":false,"signature_type":"Function","digest":{"function_hash":"91962688363124041771487770172171075718","length":1280},"signature_version":"v1"}],"spl":"2026-03-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418225717.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3"],"vanir_signatures":[{"id":"ASB-A-418225717-033ccb4c","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"updateInternal"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3","deprecated":false,"signature_type":"Function","digest":{"function_hash":"173341845250437689172274271489378931118","length":11655},"signature_version":"v1"},{"id":"ASB-A-418225717-049d83b7","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/8dbe36509166e800212ce6bf845955d359d5fef3","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["105197278000995005878340370576503128461","148588621183761209098530501553085134004","234486941104465051895651068277170769458","159125132531065204561919677225407971210","212940894353910588917176189519922663351"]},"signature_version":"v1"}],"spl":"2026-03-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418225717.json"}}],"schema_version":"1.7.5"}