{"id":"ASB-A-447135012","details":"In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-447135012","CVE-2026-0013"],"modified":"2026-04-17T15:55:28.020024Z","published":"2026-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/9f2d3f09f8fdc099d5a2d4c8bf3e8ec460bb9233"}],"affected":[{"package":{"name":"platform/packages/apps/DocumentsUI","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2-next:0"},{"fixed":"16-qpr2-next:2026-03-01"}]}],"versions":["16-qpr2-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/32d6a7338dc3f655832c2832dc93d2cc66a2021e"],"vanir_signatures":[{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java"},"signature_version":"v1","signature_type":"Line","id":"ASB-A-447135012-519c4105","digest":{"threshold":0.9,"line_hashes":["103502400345607294393142118702258590127","264578776238228467373563782560745062698","38333945831087452299655159235332406990","125995445259084665981549517189839964459"]},"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/32d6a7338dc3f655832c2832dc93d2cc66a2021e","deprecated":false,"match_only_versions":["16-qpr2-next"]},{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java","function":"setupLayout"},"signature_version":"v1","signature_type":"Function","id":"ASB-A-447135012-b9003726","digest":{"length":1678,"function_hash":"156743767400915202046690974386472525007"},"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/32d6a7338dc3f655832c2832dc93d2cc66a2021e","deprecated":false,"match_only_versions":["16-qpr2-next"]}],"types":["EoP"],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-447135012.json"}},{"package":{"name":"platform/packages/apps/DocumentsUI","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-03-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/550b1a413361b58511a92c0e4a451c5efd0945f1"],"vanir_signatures":[{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java"},"signature_type":"Line","id":"ASB-A-447135012-9cef64bf","digest":{"threshold":0.9,"line_hashes":["103502400345607294393142118702258590127","264578776238228467373563782560745062698","38333945831087452299655159235332406990","111416144613965476055017657672312028260"]},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/550b1a413361b58511a92c0e4a451c5efd0945f1"},{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java","function":"setupLayout"},"signature_type":"Function","id":"ASB-A-447135012-bb1baa77","digest":{"length":1240,"function_hash":"210208562606341878581047640278892643461"},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/550b1a413361b58511a92c0e4a451c5efd0945f1"}],"types":["EoP"],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-447135012.json"}},{"package":{"name":"platform/packages/apps/DocumentsUI","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-03-01"}]}],"versions":["16"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/8eebea12db1815135398dfcc4c0276966c2790f9"],"vanir_signatures":[{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java","function":"setupLayout"},"signature_type":"Function","id":"ASB-A-447135012-36b499ce","digest":{"length":1460,"function_hash":"120162466560451992709576043753057550201"},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/8eebea12db1815135398dfcc4c0276966c2790f9"},{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java"},"signature_type":"Line","id":"ASB-A-447135012-9f4b7c3d","digest":{"threshold":0.9,"line_hashes":["103502400345607294393142118702258590127","264578776238228467373563782560745062698","38333945831087452299655159235332406990","111416144613965476055017657672312028260"]},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/8eebea12db1815135398dfcc4c0276966c2790f9"}],"types":["EoP"],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-447135012.json"}},{"package":{"name":"platform/packages/apps/DocumentsUI","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-03-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/631cfe0fc0bddaea1ff7dade5f9c1ac46100d91b"],"vanir_signatures":[{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java","function":"setupLayout"},"signature_type":"Function","id":"ASB-A-447135012-cb97d3d5","digest":{"length":1009,"function_hash":"62780047556389138076162461782259110862"},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/631cfe0fc0bddaea1ff7dade5f9c1ac46100d91b"},{"target":{"file":"src/com/android/documentsui/picker/PickActivity.java"},"signature_type":"Line","id":"ASB-A-447135012-ded5e133","digest":{"threshold":0.9,"line_hashes":["103502400345607294393142118702258590127","321784852465166673021149462032257623205","273463559620289439968745718978014284962","231780973864924926929498320679730924075"]},"signature_version":"v1","deprecated":false,"source":"https://android.googlesource.com/platform/packages/apps/DocumentsUI/+/631cfe0fc0bddaea1ff7dade5f9c1ac46100d91b"}],"types":["EoP"],"spl":"2026-03-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-447135012.json"}}],"schema_version":"1.7.5"}