{"id":"ASB-A-378900798", "published":"2025-04-01T00:00:00Z", "modified":"2026-04-30T15:48:46.890647439Z", "aliases":["CVE-2025-22434", "A-378900798"], "details":"In handleKeyGestureEvent of PhoneWindowManager.java, there is a possible lock screen bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15-next:0"}, {"fixed":"15-next:2025-04-01"}]}], "versions":["15-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e"], "severity":"High", "spl":"2025-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["28959012149391887303789223419682196407", "215127324013538836164832943935517447144", "122346560820462425574650886488120941592", "141147856498508908974573375085630678132", "82978871960677067790497560000903917110", "318962236996577307363230580472724364961", "310334583965931542305255613790248446481", "240426481127596124219141509960202155400"], "threshold":0.9}, "id":"ASB-A-378900798-71cbfaba", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e", "target":{"file":"services/tests/wmtests/src/com/android/server/policy/TestPhoneWindowManager.java"}}, {"deprecated":false, "digest":{"line_hashes":["5828766274388516397566572745948822464", "124632940938700056805077162839905099998", "182912203242445935183955433600191947697", "201858365207918023506002747891858575986", "200726031119648814314848430492283690579", "18898144419850499145640303968815291890", "201253257454322719274508933938236405084", "241777363525423794927680092799825515398", "205707680570418314863727179338086639768", "425236404571181564445548470422597295", "148633512413854456895346780016781149739", "284075078948593042391195242283249550160", "192022396674133910526800760553630864562", "39727040980124287229594313204547240278", "221623086975130625870752093029597776387", "80707218644163245194688901665023341486", "242871270962377328135490985862290695100", "73043268094597511653556206109848195832", "326174678286568785741864515931416712752", "37760316796022335458527079684903795326", "4215683018465675134115717880758973220", "145307013262920037754817676949053726931", "108500933277267243668883735296037446108", "105885099068052262622092640624525478891", "219112832347519433113877361761481251523"], "threshold":0.9}, "id":"ASB-A-378900798-909dada6", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}, {"deprecated":false, "digest":{"function_hash":"66523745031589451048016083060354495390", "length":12701}, "id":"ASB-A-378900798-9efc74fe", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java", "function":"interceptSystemKeysAndShortcutsOld"}}, {"deprecated":false, "digest":{"function_hash":"174129089617097500984247160286301691920", "length":5646}, "id":"ASB-A-378900798-f740cbeb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/d615298466085c4a88c6733804160e0c1ee7e31e", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java", "function":"handleKeyGestureEvent"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2025-04-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4"], "severity":"High", "spl":"2025-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"281206938812453495773924118125475532002", "length":11747}, "id":"ASB-A-378900798-3e00b245", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java", "function":"interceptSystemKeysAndShortcuts"}}, {"deprecated":false, "digest":{"line_hashes":["5828766274388516397566572745948822464", "124632940938700056805077162839905099998", "185055474619527747241625598921442687391", "322705238235269899514175635159589048835"], "threshold":0.9}, "id":"ASB-A-378900798-4a044bb8", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e4d483a2ef99a71c6fcd6ad2e6c2f8f88ba380f4", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2025-04-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4"], "severity":"High", "spl":"2025-04-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"310739601641574088625821270794126574556", "length":9261}, "id":"ASB-A-378900798-d7dc3cd8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java", "function":"interceptKeyBeforeDispatching"}}, {"deprecated":false, "digest":{"line_hashes":["297821185608581471747983514677418212304", "241564979252892164497298041986132519504", "22612875316046615395319571399059617069", "235875679742249690051929597598037858457"], "threshold":0.9}, "id":"ASB-A-378900798-e56a5138", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/4eeb65a1f685f4bb6d5288b8e67ef92faf2cfeb4", "target":{"file":"services/core/java/com/android/server/policy/PhoneWindowManager.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2025-04-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/2880f0ab2dc63dc6ea820afb79e9be523ecb7074"}]}