{"id":"ASB-A-428700812","details":"In validateAddingWindowLw of DisplayPolicy.java, there is a possible way for an app to intercept drag-and-drop events due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-428700812","CVE-2025-48574"],"modified":"2026-04-24T15:37:38.793646Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/1cfd8237b5a8e9fa64367e3d0dfff525d63821e1"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["98752812802073782255665731612229756896","274262754643115422597428948583922289536","318731427274930132367561533845173014749","317343576857372265059508882391318437561"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651","target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Line","id":"ASB-A-428700812-4705c668","deprecated":false},{"digest":{"function_hash":"186755667958182594295730593138560154409","length":1231},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651","target":{"function":"validateAddingWindowLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Function","id":"ASB-A-428700812-52e0f1fa","deprecated":false}],"spl":"2026-03-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-428700812.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"29989405332654415831203586040819263246","length":1929},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b","target":{"function":"validateAddingWindowLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Function","id":"ASB-A-428700812-529ee2cb","deprecated":false},{"digest":{"line_hashes":["98752812802073782255665731612229756896","274262754643115422597428948583922289536","148102332571247974663867562405591437184","117545886929869845745615480157282044347"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b","target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Line","id":"ASB-A-428700812-fc2ee646","deprecated":false}],"spl":"2026-03-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-428700812.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"function_hash":"172941894425957385641700590191833076711","length":1785},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05","target":{"function":"validateAddingWindowLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Function","id":"ASB-A-428700812-eb31c1f3","deprecated":false},{"digest":{"line_hashes":["98752812802073782255665731612229756896","274262754643115422597428948583922289536","318731427274930132367561533845173014749","317343576857372265059508882391318437561"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05","target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Line","id":"ASB-A-428700812-f8755ed4","deprecated":false}],"spl":"2026-03-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-428700812.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"digest":{"line_hashes":["98752812802073782255665731612229756896","274262754643115422597428948583922289536","148102332571247974663867562405591437184","117545886929869845745615480157282044347"],"threshold":0.9},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec","target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Line","id":"ASB-A-428700812-65ee588a","deprecated":false},{"digest":{"function_hash":"121505959893738281513223359954111053405","length":3035},"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec","target":{"function":"validateAddingWindowLw","file":"services/core/java/com/android/server/wm/DisplayPolicy.java"},"signature_type":"Function","id":"ASB-A-428700812-f1c80cbe","deprecated":false}],"spl":"2026-03-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-428700812.json"}}],"schema_version":"1.7.5"}