{"id":"ASB-A-433251166","details":"In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-433251166","CVE-2026-0007"],"modified":"2026-04-15T15:55:00.724021Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/8ec74c568b5881901cad0f1147fdc607702101e0"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"file":"libs/gui/WindowInfo.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/03b9ecf49d11630d5992da30265fb03621846ce1","digest":{"threshold":0.9,"line_hashes":["11968114377855659063378960728208100753","305124388906133541940712074515890443530","318958507213923030039908357102476088956","313060144513310184883407558215823407297","219552857511252441948800965910285988086","340061046736469676612529618721038314221","181226440056422328338090035981296325394"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"match_only_versions":["16-qpr2-next"],"id":"ASB-A-433251166-0e904e3b"},{"target":{"file":"libs/gui/WindowInfo.cpp","function":"WindowInfo::writeToParcel"},"source":"https://android.googlesource.com/platform/frameworks/native/+/03b9ecf49d11630d5992da30265fb03621846ce1","digest":{"length":1900,"function_hash":"275979120619071444917290488762406076730"},"signature_version":"v1","signature_type":"Function","deprecated":false,"match_only_versions":["16-qpr2-next"],"id":"ASB-A-433251166-7dd261d7"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/native/+/03b9ecf49d11630d5992da30265fb03621846ce1"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-433251166.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/de1b131c0806f16f7ad76b42244ea207ccc64cbc","digest":{"length":1981,"function_hash":"114624152261741290800350092301065489318"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-433251166-36f40c5b","target":{"file":"libs/gui/WindowInfo.cpp","function":"WindowInfo::writeToParcel"}},{"target":{"file":"libs/gui/WindowInfo.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/de1b131c0806f16f7ad76b42244ea207ccc64cbc","digest":{"threshold":0.9,"line_hashes":["11968114377855659063378960728208100753","305124388906133541940712074515890443530","318958507213923030039908357102476088956","313060144513310184883407558215823407297","219552857511252441948800965910285988086","340061046736469676612529618721038314221","181226440056422328338090035981296325394"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"match_only_versions":["15"],"id":"ASB-A-433251166-b8d85a76"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/native/+/de1b131c0806f16f7ad76b42244ea207ccc64cbc"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-433251166.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"target":{"file":"libs/gui/WindowInfo.cpp","function":"WindowInfo::writeToParcel"},"source":"https://android.googlesource.com/platform/frameworks/native/+/1d4bb5d8bef543769e3fef7d4f4bc720696cd7cd","digest":{"length":1900,"function_hash":"275979120619071444917290488762406076730"},"signature_version":"v1","signature_type":"Function","deprecated":false,"match_only_versions":["16"],"id":"ASB-A-433251166-74606f83"},{"target":{"file":"libs/gui/WindowInfo.cpp"},"source":"https://android.googlesource.com/platform/frameworks/native/+/1d4bb5d8bef543769e3fef7d4f4bc720696cd7cd","digest":{"threshold":0.9,"line_hashes":["11968114377855659063378960728208100753","305124388906133541940712074515890443530","318958507213923030039908357102476088956","313060144513310184883407558215823407297","219552857511252441948800965910285988086","340061046736469676612529618721038314221","181226440056422328338090035981296325394"]},"signature_version":"v1","signature_type":"Line","deprecated":false,"match_only_versions":["16"],"id":"ASB-A-433251166-eaef952b"}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/native/+/1d4bb5d8bef543769e3fef7d4f4bc720696cd7cd"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-433251166.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/9c7fcd60b64e4fb0e29ef10dd26acdc92081bbd9","digest":{"threshold":0.9,"line_hashes":["258512655259737954363327915207554126316","299355640196846537115011525305231893888","322748327824787907063795388556363262506","313060144513310184883407558215823407297","219552857511252441948800965910285988086","340061046736469676612529618721038314221","181226440056422328338090035981296325394"]},"signature_version":"v1","signature_type":"Line","id":"ASB-A-433251166-e892c58d","target":{"file":"libs/gui/WindowInfo.cpp"}},{"deprecated":false,"source":"https://android.googlesource.com/platform/frameworks/native/+/9c7fcd60b64e4fb0e29ef10dd26acdc92081bbd9","digest":{"length":1825,"function_hash":"301837789919764440613752627139208173597"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-433251166-eaef387f","target":{"file":"libs/gui/WindowInfo.cpp","function":"WindowInfo::writeToParcel"}}],"types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/native/+/9c7fcd60b64e4fb0e29ef10dd26acdc92081bbd9"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-433251166.json"}}],"schema_version":"1.7.5"}