{"id":"ASB-A-389950114", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-18T15:04:46.258745422Z", "aliases":["CVE-2026-28577", "A-389950114"], "details":"In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/352e98e9ed8ab9a0c63a499665b09d2ab2769f7e"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"37023614408704152922898003860348940367", "length":10650}, "id":"ASB-A-389950114-779afdb8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/352e98e9ed8ab9a0c63a499665b09d2ab2769f7e", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"addWindow"}}, {"deprecated":false, "digest":{"line_hashes":["27932017891604966021544559811175071959", "315475683212704727166760713577483752255", "188394027801698029900481290853172735849", "146255118690895660322814751209724989281"], "threshold":0.9}, "id":"ASB-A-389950114-c929b27d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/352e98e9ed8ab9a0c63a499665b09d2ab2769f7e", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/fd23e57220d587660cbe175d6b465cbc2aec222c"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["27932017891604966021544559811175071959", "315475683212704727166760713577483752255", "188394027801698029900481290853172735849", "146255118690895660322814751209724989281"], "threshold":0.9}, "id":"ASB-A-389950114-5a5b86c1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fd23e57220d587660cbe175d6b465cbc2aec222c", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"148305495535218786312359090108893745353", "length":12058}, "id":"ASB-A-389950114-c8568fd9", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fd23e57220d587660cbe175d6b465cbc2aec222c", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"addWindow"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/55aea98481db15689b390c54cae99c409281343f"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["27932017891604966021544559811175071959", "315475683212704727166760713577483752255", "188394027801698029900481290853172735849", "146255118690895660322814751209724989281"], "threshold":0.9}, "id":"ASB-A-389950114-0c5e45bc", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/55aea98481db15689b390c54cae99c409281343f", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"243270993435680713753112798670756826899", "length":10163}, "id":"ASB-A-389950114-fb8535a4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/55aea98481db15689b390c54cae99c409281343f", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"addWindow"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/69ace6d38b365847d80653750f26b204adf6e663"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"257551047976146560909936817794158404180", "length":10318}, "id":"ASB-A-389950114-49e2ace8", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/69ace6d38b365847d80653750f26b204adf6e663", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"addWindow"}}, {"deprecated":false, "digest":{"line_hashes":["27932017891604966021544559811175071959", "315475683212704727166760713577483752255", "188394027801698029900481290853172735849", "146255118690895660322814751209724989281"], "threshold":0.9}, "id":"ASB-A-389950114-b59877db", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/69ace6d38b365847d80653750f26b204adf6e663", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/17371594baff69a8ff477391955892c4f4826e9e"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["202172281432802788764437662650800201764", "320654047162801706391931505276938494247", "311851507303705137638921337089418703794", "35334715859477885055920626759108336810", "193040290859915295078663424525547000884", "6717804215693328633612723713520932004", "75918700486122701689821166961144622431", "100354566591792921295502418529525925051"], "threshold":0.9}, "id":"ASB-A-389950114-5ab43416", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/17371594baff69a8ff477391955892c4f4826e9e", "target":{"file":"services/core/java/com/android/server/wm/Session.java"}}, {"deprecated":false, "digest":{"line_hashes":["27932017891604966021544559811175071959", "315475683212704727166760713577483752255", "188394027801698029900481290853172735849", "146255118690895660322814751209724989281"], "threshold":0.9}, "id":"ASB-A-389950114-8982a786", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/17371594baff69a8ff477391955892c4f4826e9e", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java"}}, {"deprecated":false, "digest":{"function_hash":"167559775866481484354643738417520888154", "length":1723}, "id":"ASB-A-389950114-da986ae5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/17371594baff69a8ff477391955892c4f4826e9e", "target":{"file":"services/core/java/com/android/server/wm/Session.java", "function":"Session"}}, {"deprecated":false, "digest":{"function_hash":"244615652217948530878621236300419731821", "length":12113}, "id":"ASB-A-389950114-fdc8907f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/17371594baff69a8ff477391955892c4f4826e9e", "target":{"file":"services/core/java/com/android/server/wm/WindowManagerService.java", "function":"addWindow"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}]}