{"id":"ASB-A-354682735", "published":"2025-02-01T00:00:00Z", "modified":"2026-04-30T15:48:46.890647439Z", "aliases":["CVE-2024-49721", "A-354682735"], "details":"In InputMethodSubtypeArray of InputMethodSubtypeArray.java, there is a possible way to bypass a key intent check to launch arbitrary activity due to Parcel mismatch. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15-next:0"}, {"fixed":"15-next:2025-02-01"}]}], "versions":["15-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee"], "severity":"High", "spl":"2025-02-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["272945656874343307030929176821475903658", "81868893111351473390432093093509595063", "167685174330799183210139295969513440766", "86278732709458178783488113640790302973", "173153596735623192581762532373667618704", "28096001934477478579716532119648919290"], "threshold":0.9}, "id":"ASB-A-354682735-bdbd1edf", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"}}, {"deprecated":false, "digest":{"function_hash":"305048536457532374140609217407252405056", "length":172}, "id":"ASB-A-354682735-be65d1b2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/bc2fbfc0b73535ce9d0c9f73b5130cfffaf4daee", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java", "function":"InputMethodSubtypeArray"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12:0"}, {"fixed":"12:2025-02-01"}]}], "versions":["12"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049"], "severity":"High", "spl":"2025-02-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["272945656874343307030929176821475903658", "81868893111351473390432093093509595063", "167685174330799183210139295969513440766", "86278732709458178783488113640790302973", "173153596735623192581762532373667618704", "28096001934477478579716532119648919290"], "threshold":0.9}, "id":"ASB-A-354682735-0e606605", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"}}, {"deprecated":false, "digest":{"function_hash":"305048536457532374140609217407252405056", "length":172}, "id":"ASB-A-354682735-c45dc737", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1e973616542153aaed999c4f1c292ce493f40049", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java", "function":"InputMethodSubtypeArray"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"12L:0"}, {"fixed":"12L:2025-02-01"}]}], "versions":["12L"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208"], "severity":"High", "spl":"2025-02-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["272945656874343307030929176821475903658", "81868893111351473390432093093509595063", "167685174330799183210139295969513440766", "86278732709458178783488113640790302973", "173153596735623192581762532373667618704", "28096001934477478579716532119648919290"], "threshold":0.9}, "id":"ASB-A-354682735-3dbe64c9", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"}}, {"deprecated":false, "digest":{"function_hash":"305048536457532374140609217407252405056", "length":172}, "id":"ASB-A-354682735-472f1e37", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/b7acc399ad02f3c2faa6cdb61a86a3c642418208", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java", "function":"InputMethodSubtypeArray"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"13:0"}, {"fixed":"13:2025-02-01"}]}], "versions":["13"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c"], "severity":"High", "spl":"2025-02-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"305048536457532374140609217407252405056", "length":172}, "id":"ASB-A-354682735-68cfb5ee", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java", "function":"InputMethodSubtypeArray"}}, {"deprecated":false, "digest":{"line_hashes":["272945656874343307030929176821475903658", "81868893111351473390432093093509595063", "167685174330799183210139295969513440766", "86278732709458178783488113640790302973", "173153596735623192581762532373667618704", "28096001934477478579716532119648919290"], "threshold":0.9}, "id":"ASB-A-354682735-e128ab79", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e863b7b8285f122fafbab5439ad3c337172bff6c", "target":{"file":"core/java/android/view/inputmethod/InputMethodSubtypeArray.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2025-02-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/7714ccb85ed961083dcc97e230c71242c3422b5e"}]}