{"id":"ASB-A-442392902","details":"In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-442392902","CVE-2025-48654"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/924df83d73d9f938fde025c2e793ca12646207e0"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/975dab1f72d08a4444cb07c8bd7206ae95f2e65c"],"vanir_signatures":[{"id":"ASB-A-442392902-537d06de","signature_version":"v1","digest":{"length":277,"function_hash":"262238437593147484460386964637528596510"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/975dab1f72d08a4444cb07c8bd7206ae95f2e65c","target":{"function":"onStart","file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false},{"id":"ASB-A-442392902-cb8227b6","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["100773564642563799443363088126167028264","337625126975700278524523411866481193415","68463754524088633172381643215059855522","194173072776936318033832449965978497353","99636806959312342506754886445120011592","309306652100673762866566535910597669584","16881537851996141394921705504896483707"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/975dab1f72d08a4444cb07c8bd7206ae95f2e65c","target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false}],"types":["EoP"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-442392902.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/13714bcfaff6ef1c16d0aa3d359b1c8bc1859ac3"],"vanir_signatures":[{"id":"ASB-A-442392902-38f3cc73","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["100773564642563799443363088126167028264","337625126975700278524523411866481193415","68463754524088633172381643215059855522","19561236882564109537809807217987058052","99636806959312342506754886445120011592","309306652100673762866566535910597669584","16881537851996141394921705504896483707"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/13714bcfaff6ef1c16d0aa3d359b1c8bc1859ac3","target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false},{"id":"ASB-A-442392902-52d47ff1","signature_version":"v1","digest":{"length":277,"function_hash":"262238437593147484460386964637528596510"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/13714bcfaff6ef1c16d0aa3d359b1c8bc1859ac3","target":{"function":"onStart","file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false}],"types":["EoP"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-442392902.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-03-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/665bab82f9b4dfe9afe9d9c0010f076ff154f936"],"vanir_signatures":[{"id":"ASB-A-442392902-c1d38471","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["100773564642563799443363088126167028264","337625126975700278524523411866481193415","68463754524088633172381643215059855522","19561236882564109537809807217987058052","99636806959312342506754886445120011592","309306652100673762866566535910597669584","16881537851996141394921705504896483707"]},"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/665bab82f9b4dfe9afe9d9c0010f076ff154f936","target":{"file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false},{"id":"ASB-A-442392902-c3097227","signature_version":"v1","digest":{"length":277,"function_hash":"262238437593147484460386964637528596510"},"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/665bab82f9b4dfe9afe9d9c0010f076ff154f936","target":{"function":"onStart","file":"services/companion/java/com/android/server/companion/CompanionDeviceManagerService.java"},"deprecated":false}],"types":["EoP"],"spl":"2026-03-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-442392902.json"}}],"schema_version":"1.7.5"}