{"id":"ASB-A-452010556","details":"In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-452010556","CVE-2026-0061"],"modified":"2026-06-30T17:13:17.150140148Z","published":"2026-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/4518f78f8b34510a1329c60dc5e0b018f015a6e3"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"17-next:0"},{"fixed":"17-next:2026-06-01"}]}],"versions":["17-next"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe"],"vanir_signatures":[{"target":{"function":"checkPolicyVisibilityChange","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-cb85155d","deprecated":false,"digest":{"function_hash":"219547898696826789866437462920609420287","length":678},"source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe","signature_version":"v1","signature_type":"Function"},{"target":{"function":"show","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-cbcb4ac4","deprecated":false,"digest":{"function_hash":"138155818687340239248084879561883814677","length":1263},"source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe","signature_version":"v1","signature_type":"Function"},{"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"deprecated":false,"id":"ASB-A-452010556-d3cc0b9d","signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["132273760158267097983055288787745018694","47474440456811787385441026627601259867","242470691432714548066435559718828354906","56253570038693443920346756364922371372","165124606163499328616044586147998878597","156262576093604747735016125120236669588","192755441024916862262803870834814989812","327426287910549702753734403691805186519","121307267217890474450687958466294167117","124008452490842615502247265697895910966","166910566218191803577508002129885722568","203909322426140432772460716763774854065"]}},{"target":{"function":"hide","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-fb17d557","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe","digest":{"function_hash":"159025997728744761787732655721851653361","length":977},"signature_version":"v1"}],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-452010556.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-06-01"}]}],"versions":["15"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43"],"vanir_signatures":[{"target":{"function":"hide","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-0614470d","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43","signature_type":"Function","digest":{"function_hash":"142158782823989243623119978438196278745","length":861}},{"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"deprecated":false,"id":"ASB-A-452010556-2e2f8729","digest":{"threshold":0.9,"line_hashes":["132273760158267097983055288787745018694","47474440456811787385441026627601259867","242470691432714548066435559718828354906","56253570038693443920346756364922371372","165124606163499328616044586147998878597","156262576093604747735016125120236669588","192755441024916862262803870834814989812","327426287910549702753734403691805186519","121307267217890474450687958466294167117","124008452490842615502247265697895910966","324428782986657472512410250713071903874","308282977652990622579472355143846589277"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43","signature_version":"v1","signature_type":"Line"},{"target":{"function":"checkPolicyVisibilityChange","file":"services/core/java/com/android/server/wm/WindowState.java"},"deprecated":false,"id":"ASB-A-452010556-542f0e18","digest":{"function_hash":"219547898696826789866437462920609420287","length":678},"source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43","signature_version":"v1","signature_type":"Function"},{"target":{"function":"show","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-d36fee16","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43","digest":{"function_hash":"295990930738223302744833455286679802854","length":1073},"signature_version":"v1"}],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-452010556.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-06-01"}]}],"versions":["16"],"ecosystem_specific":{"spl":"2026-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63"],"vanir_signatures":[{"target":{"function":"checkPolicyVisibilityChange","file":"services/core/java/com/android/server/wm/WindowState.java"},"deprecated":false,"id":"ASB-A-452010556-4d57f745","digest":{"function_hash":"219547898696826789866437462920609420287","length":678},"source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63","signature_version":"v1","signature_type":"Function"},{"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-7d02ecf6","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["132273760158267097983055288787745018694","47474440456811787385441026627601259867","242470691432714548066435559718828354906","56253570038693443920346756364922371372","165124606163499328616044586147998878597","156262576093604747735016125120236669588","192755441024916862262803870834814989812","327426287910549702753734403691805186519","121307267217890474450687958466294167117","124008452490842615502247265697895910966","324428782986657472512410250713071903874","308282977652990622579472355143846589277"]}},{"target":{"function":"show","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-89986394","deprecated":false,"digest":{"function_hash":"295990930738223302744833455286679802854","length":1073},"source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63","signature_version":"v1","signature_type":"Function"},{"target":{"function":"hide","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-f3bd14c2","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63","digest":{"function_hash":"142158782823989243623119978438196278745","length":861},"signature_version":"v1"}],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-452010556.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-06-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71"],"vanir_signatures":[{"target":{"function":"show","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-5e4e82a0","deprecated":false,"digest":{"function_hash":"8161235701582556819583907762950175376","length":1209},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71","signature_version":"v1","signature_type":"Function"},{"target":{"function":"hide","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-5f240f95","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71","signature_type":"Function","digest":{"function_hash":"159025997728744761787732655721851653361","length":977}},{"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-697d3d98","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["132273760158267097983055288787745018694","47474440456811787385441026627601259867","242470691432714548066435559718828354906","56253570038693443920346756364922371372","165124606163499328616044586147998878597","156262576093604747735016125120236669588","192755441024916862262803870834814989812","327426287910549702753734403691805186519","121307267217890474450687958466294167117","124008452490842615502247265697895910966","166910566218191803577508002129885722568","203909322426140432772460716763774854065"]}},{"target":{"function":"checkPolicyVisibilityChange","file":"services/core/java/com/android/server/wm/WindowState.java"},"deprecated":false,"id":"ASB-A-452010556-ba3acbc3","digest":{"function_hash":"219547898696826789866437462920609420287","length":678},"source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71","signature_version":"v1","signature_type":"Function"}],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-452010556.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-06-01"}]}],"versions":["14"],"ecosystem_specific":{"spl":"2026-06-01","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b"],"vanir_signatures":[{"target":{"function":"checkPolicyVisibilityChange","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-39caf7e4","deprecated":false,"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b","digest":{"function_hash":"219547898696826789866437462920609420287","length":678},"signature_version":"v1"},{"target":{"function":"show","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-4247b1ca","deprecated":false,"digest":{"function_hash":"295990930738223302744833455286679802854","length":1073},"source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b","signature_version":"v1","signature_type":"Function"},{"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-97783533","deprecated":false,"signature_version":"v1","source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["189797230159533773981665047340823514841","29852250565518537273863339087482042728","177333664150954540924630996645953050901","260092212136069913281304572642024478635","165124606163499328616044586147998878597","156262576093604747735016125120236669588","192755441024916862262803870834814989812","327426287910549702753734403691805186519","121307267217890474450687958466294167117","124008452490842615502247265697895910966","324428782986657472512410250713071903874","308282977652990622579472355143846589277"]}},{"target":{"function":"hide","file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-452010556-af2902e5","deprecated":false,"digest":{"function_hash":"142158782823989243623119978438196278745","length":861},"source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b","signature_version":"v1","signature_type":"Function"}],"types":["EoP"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-452010556.json"}}],"schema_version":"1.7.5"}