{"id":"ASB-A-463364410","details":"In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-463364410","CVE-2026-0048"],"modified":"2026-06-12T15:08:17.296522730Z","published":"2026-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/36a774d7239923d0ef16ae5f51b87fb132e2bbb9"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"17-next:0"},{"fixed":"17-next:2026-06-01"}]}],"versions":["17-next"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213056150204855974978108011784885620547","65666995771609329779778236334220027558","102126945982789904211617090980218355191","26346426303184886208092506844304388318"]},"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"signature_type":"Line","id":"ASB-A-463364410-7caf608d","deprecated":false},{"source":"https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6","signature_version":"v1","signature_type":"Function","digest":{"length":977,"function_hash":"159025997728744761787732655721851653361"},"target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"},"id":"ASB-A-463364410-cb760fcc","deprecated":false}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6"],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-463364410.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-06-01"}]}],"versions":["15"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"source":"https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213056150204855974978108011784885620547","65666995771609329779778236334220027558","102126945982789904211617090980218355191","26346426303184886208092506844304388318"]},"target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"signature_type":"Line","id":"ASB-A-463364410-37a1510f","deprecated":false},{"signature_version":"v1","digest":{"length":861,"function_hash":"142158782823989243623119978438196278745"},"source":"https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"},"signature_type":"Function","id":"ASB-A-463364410-a49b8cbb","deprecated":false}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735"],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-463364410.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-06-01"}]}],"versions":["16"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":861,"function_hash":"142158782823989243623119978438196278745"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"},"id":"ASB-A-463364410-558545b0","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213056150204855974978108011784885620547","65666995771609329779778236334220027558","102126945982789904211617090980218355191","26346426303184886208092506844304388318"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-463364410-bfe0a35e","deprecated":false}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5"],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-463364410.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-06-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"digest":{"length":977,"function_hash":"159025997728744761787732655721851653361"},"source":"https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38","signature_version":"v1","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"},"id":"ASB-A-463364410-0c635a62","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213056150204855974978108011784885620547","65666995771609329779778236334220027558","102126945982789904211617090980218355191","26346426303184886208092506844304388318"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"signature_type":"Line","id":"ASB-A-463364410-a9dcd95d","deprecated":false}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38"],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-463364410.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-06-01"}]}],"versions":["14"],"ecosystem_specific":{"severity":"High","vanir_signatures":[{"signature_version":"v1","digest":{"length":861,"function_hash":"142158782823989243623119978438196278745"},"source":"https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93","signature_type":"Function","target":{"file":"services/core/java/com/android/server/wm/WindowState.java","function":"hide"},"id":"ASB-A-463364410-6bf1843f","deprecated":false},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["213056150204855974978108011784885620547","65666995771609329779778236334220027558","102126945982789904211617090980218355191","26346426303184886208092506844304388318"]},"source":"https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93","signature_type":"Line","target":{"file":"services/core/java/com/android/server/wm/WindowState.java"},"id":"ASB-A-463364410-8e2ee10a","deprecated":false}],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93"],"types":["EoP"],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-463364410.json"}}],"schema_version":"1.7.5"}