{"id":"ASB-A-418773439","details":"In createRequest of MediaProvider.java, there is a possible way for an app to gain read/write access to non-existing files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-418773439","CVE-2026-0035"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/119013a3d7e8f1eab671bce4c6a85748752081ed"}],"affected":[{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/268fc3fb0a438abbc710687a9590cb80b3c0e8bc"],"vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["305872517028075303624788470279955297785","45980193398536676533953657209669643304","231033104621400862645126290910560739119"]},"id":"ASB-A-418773439-7ade520d","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/268fc3fb0a438abbc710687a9590cb80b3c0e8bc","deprecated":false},{"signature_version":"v1","digest":{"function_hash":"173861771679170548802593075625883665458","length":1876},"id":"ASB-A-418773439-c813af07","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"createRequest"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/268fc3fb0a438abbc710687a9590cb80b3c0e8bc","deprecated":false}],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418773439.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/fdbfd5ddd808b9c98af6b384c97365ac95877dfc"],"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"239699139025023658026021545374552119442","length":1654},"id":"ASB-A-418773439-36b1a184","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"createRequest"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/fdbfd5ddd808b9c98af6b384c97365ac95877dfc","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["305872517028075303624788470279955297785","45980193398536676533953657209669643304","231033104621400862645126290910560739119"]},"id":"ASB-A-418773439-d344b325","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/fdbfd5ddd808b9c98af6b384c97365ac95877dfc","deprecated":false}],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418773439.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/973f11ad05506303f6bbb3fd6275c3a2b824b2e8"],"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"173861771679170548802593075625883665458","length":1876},"id":"ASB-A-418773439-279ef5bd","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"createRequest"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/973f11ad05506303f6bbb3fd6275c3a2b824b2e8","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["305872517028075303624788470279955297785","45980193398536676533953657209669643304","231033104621400862645126290910560739119"]},"id":"ASB-A-418773439-480a6252","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/973f11ad05506303f6bbb3fd6275c3a2b824b2e8","deprecated":false}],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418773439.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-03-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b65614b2ffdd929ca75bf756807351fc03ef0007"],"vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["305872517028075303624788470279955297785","45980193398536676533953657209669643304","231033104621400862645126290910560739119"]},"id":"ASB-A-418773439-0dd566a4","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b65614b2ffdd929ca75bf756807351fc03ef0007","deprecated":false},{"signature_version":"v1","digest":{"function_hash":"173861771679170548802593075625883665458","length":1876},"id":"ASB-A-418773439-5d3736f4","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"createRequest"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/b65614b2ffdd929ca75bf756807351fc03ef0007","deprecated":false}],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418773439.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"types":["EoP"],"fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/0676eae5345403d793cb5f29264dfd9863480cbe"],"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"288724530812539261166869570381866518335","length":1443},"id":"ASB-A-418773439-67b5a91a","target":{"file":"src/com/android/providers/media/MediaProvider.java","function":"createRequest"},"signature_type":"Function","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/0676eae5345403d793cb5f29264dfd9863480cbe","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["305872517028075303624788470279955297785","45980193398536676533953657209669643304","231033104621400862645126290910560739119"]},"id":"ASB-A-418773439-cc75752c","target":{"file":"src/com/android/providers/media/MediaProvider.java"},"signature_type":"Line","source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/0676eae5345403d793cb5f29264dfd9863480cbe","deprecated":false}],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-418773439.json"}}],"schema_version":"1.7.5"}