{"id":"ASB-A-438098181","details":"In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-438098181","CVE-2025-48596"],"modified":"2026-04-10T16:16:18.068628Z","published":"2025-12-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-12-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/native/+/6ffdde944d4e0b440b1dfc1f232687299700e039"}],"affected":[{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2025-12-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/ab883e120ae18ef93a4c6f17c05a14218da5118e"],"vanir_signatures":[{"id":"ASB-A-438098181-503a4db6","source":"https://android.googlesource.com/platform/frameworks/native/+/ab883e120ae18ef93a4c6f17c05a14218da5118e","target":{"file":"libs/binder/Parcel.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["226620226467265667884944882136950941139","194680325870090258928847415399434156022","227303961434911064723463816536823782131","111872119573103270601884493566886103275"]},"signature_version":"v1","deprecated":false},{"id":"ASB-A-438098181-cbe4ff23","source":"https://android.googlesource.com/platform/frameworks/native/+/ab883e120ae18ef93a4c6f17c05a14218da5118e","target":{"function":"Parcel::appendFrom","file":"libs/binder/Parcel.cpp"},"signature_type":"Function","digest":{"function_hash":"19595452012605691291254102540303697331","length":6458},"signature_version":"v1","deprecated":false}],"spl":"2025-12-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-438098181.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-12-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/020d869e99b02a08a7aa695a391f6f9bb20fa386"],"vanir_signatures":[{"id":"ASB-A-438098181-3036be20","source":"https://android.googlesource.com/platform/frameworks/native/+/020d869e99b02a08a7aa695a391f6f9bb20fa386","target":{"function":"Parcel::appendFrom","file":"libs/binder/Parcel.cpp"},"signature_type":"Function","digest":{"function_hash":"271858957017686624175316698069222142212","length":4549},"signature_version":"v1","deprecated":false},{"id":"ASB-A-438098181-73a607f3","source":"https://android.googlesource.com/platform/frameworks/native/+/020d869e99b02a08a7aa695a391f6f9bb20fa386","target":{"file":"libs/binder/Parcel.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["226620226467265667884944882136950941139","194680325870090258928847415399434156022","227303961434911064723463816536823782131","111872119573103270601884493566886103275"]},"signature_version":"v1","deprecated":false}],"spl":"2025-12-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-438098181.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-12-01"}]}],"versions":["16"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/48ab33eba1eff4afc1c2d72dea846680f70efad2"],"vanir_signatures":[{"id":"ASB-A-438098181-9fa41562","source":"https://android.googlesource.com/platform/frameworks/native/+/48ab33eba1eff4afc1c2d72dea846680f70efad2","target":{"function":"Parcel::appendFrom","file":"libs/binder/Parcel.cpp"},"signature_type":"Function","digest":{"function_hash":"280784413281234592702272574840347455828","length":4581},"signature_version":"v1","deprecated":false},{"id":"ASB-A-438098181-e5136aa6","source":"https://android.googlesource.com/platform/frameworks/native/+/48ab33eba1eff4afc1c2d72dea846680f70efad2","target":{"file":"libs/binder/Parcel.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["226620226467265667884944882136950941139","194680325870090258928847415399434156022","227303961434911064723463816536823782131","111872119573103270601884493566886103275"]},"signature_version":"v1","deprecated":false}],"spl":"2025-12-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-438098181.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-12-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e"],"vanir_signatures":[{"id":"ASB-A-438098181-7bcbd13f","source":"https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e","target":{"file":"libs/binder/Parcel.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["226620226467265667884944882136950941139","194680325870090258928847415399434156022","200947130444670339930626986492983268167","130833822954436315010124867936197120994"]},"signature_version":"v1","deprecated":false},{"id":"ASB-A-438098181-b09b7780","source":"https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e","target":{"function":"Parcel::appendFrom","file":"libs/binder/Parcel.cpp"},"signature_type":"Function","digest":{"function_hash":"53284757897949183346785532162040992162","length":2359},"signature_version":"v1","deprecated":false}],"spl":"2025-12-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-438098181.json"}},{"package":{"name":"platform/frameworks/native","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-12-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e"],"vanir_signatures":[{"id":"ASB-A-438098181-26500b1d","source":"https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e","target":{"function":"Parcel::appendFrom","file":"libs/binder/Parcel.cpp"},"signature_type":"Function","digest":{"function_hash":"53284757897949183346785532162040992162","length":2359},"signature_version":"v1","deprecated":false},{"id":"ASB-A-438098181-f8b96a83","source":"https://android.googlesource.com/platform/frameworks/native/+/e091f1ccd6171835fc8258ffe21cf3fd3ab79f7e","target":{"file":"libs/binder/Parcel.cpp"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["226620226467265667884944882136950941139","194680325870090258928847415399434156022","200947130444670339930626986492983268167","130833822954436315010124867936197120994"]},"signature_version":"v1","deprecated":false}],"spl":"2025-12-01","severity":"High","types":["EoP"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-438098181.json"}}],"schema_version":"1.7.5"}