{"id":"ASB-A-483142784","details":"In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-483142784","CVE-2026-0087"],"modified":"2026-06-09T15:27:06.151355248Z","published":"2026-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/2e3d71d027b090e6466b96995678e38b22ba3fe1"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"17-next:0"},{"fixed":"17-next:2026-06-01"}]}],"versions":["17-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/919d0cb125b31e1512417a69251f1cbee54ab12e","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["28086757613808636571293150421992630243","296370572484403638996969933491344691954","8100873637863738537154911431949510340","174250822925968074363432334153051076242"]},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java"},"id":"ASB-A-483142784-654b2af8","signature_version":"v1"},{"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/919d0cb125b31e1512417a69251f1cbee54ab12e","deprecated":false,"digest":{"function_hash":"297028611211371646434528503033904320718","length":3771},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java","function":"approvalLevelForDomainInternal"},"id":"ASB-A-483142784-d798b688","signature_version":"v1"}],"spl":"2026-06-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/919d0cb125b31e1512417a69251f1cbee54ab12e"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-483142784.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-06-01"}]}],"versions":["15"],"ecosystem_specific":{"spl":"2026-06-01","vanir_signatures":[{"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java"},"source":"https://android.googlesource.com/platform/frameworks/base/+/4a8db66f06dce12deb036ab599cbebecdf82c3ac","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["28086757613808636571293150421992630243","296370572484403638996969933491344691954","8100873637863738537154911431949510340","174250822925968074363432334153051076242"]},"signature_type":"Line","id":"ASB-A-483142784-0a531de0","signature_version":"v1"},{"signature_type":"Function","source":"https://android.googlesource.com/platform/frameworks/base/+/4a8db66f06dce12deb036ab599cbebecdf82c3ac","deprecated":false,"digest":{"function_hash":"297028611211371646434528503033904320718","length":3771},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java","function":"approvalLevelForDomainInternal"},"id":"ASB-A-483142784-f5424dcd","signature_version":"v1"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/4a8db66f06dce12deb036ab599cbebecdf82c3ac"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-483142784.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-06-01"}]}],"versions":["16"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/7f86f0843a74dfebb237d4a5b63384622edbb9d6","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["28086757613808636571293150421992630243","296370572484403638996969933491344691954","8100873637863738537154911431949510340","174250822925968074363432334153051076242"]},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java"},"id":"ASB-A-483142784-13022318","signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java","function":"approvalLevelForDomainInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/7f86f0843a74dfebb237d4a5b63384622edbb9d6","deprecated":false,"digest":{"function_hash":"297028611211371646434528503033904320718","length":3771},"signature_type":"Function","id":"ASB-A-483142784-c08c0190","signature_version":"v1"}],"spl":"2026-06-01","types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/7f86f0843a74dfebb237d4a5b63384622edbb9d6"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-483142784.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-06-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"spl":"2026-06-01","vanir_signatures":[{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/e3f418a757f3fb64764e0bdf00e4087d9937845f","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["28086757613808636571293150421992630243","296370572484403638996969933491344691954","8100873637863738537154911431949510340","174250822925968074363432334153051076242"]},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java"},"id":"ASB-A-483142784-2892cb65","signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java","function":"approvalLevelForDomainInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/e3f418a757f3fb64764e0bdf00e4087d9937845f","deprecated":false,"digest":{"function_hash":"297028611211371646434528503033904320718","length":3771},"signature_type":"Function","id":"ASB-A-483142784-2956cc26","signature_version":"v1"}],"types":["EoP"],"severity":"High","fixes":["https://android.googlesource.com/platform/frameworks/base/+/e3f418a757f3fb64764e0bdf00e4087d9937845f"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-483142784.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-06-01"}]}],"versions":["14"],"ecosystem_specific":{"vanir_signatures":[{"signature_type":"Line","source":"https://android.googlesource.com/platform/frameworks/base/+/2a36adeeceed24d7ec0bc0bf0c58ff9148897a39","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["28086757613808636571293150421992630243","296370572484403638996969933491344691954","8100873637863738537154911431949510340","174250822925968074363432334153051076242"]},"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java"},"id":"ASB-A-483142784-4f15bd0c","signature_version":"v1"},{"target":{"file":"services/core/java/com/android/server/pm/verify/domain/DomainVerificationService.java","function":"approvalLevelForDomainInternal"},"source":"https://android.googlesource.com/platform/frameworks/base/+/2a36adeeceed24d7ec0bc0bf0c58ff9148897a39","deprecated":false,"digest":{"function_hash":"297028611211371646434528503033904320718","length":3771},"signature_type":"Function","id":"ASB-A-483142784-de512acc","signature_version":"v1"}],"spl":"2026-06-01","types":["EoP"],"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2a36adeeceed24d7ec0bc0bf0c58ff9148897a39"],"severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-483142784.json"}}],"schema_version":"1.7.5"}