{"id":"ASB-A-428700812", "published":"2026-03-01T00:00:00Z", "modified":"2026-04-30T15:48:46.890647439Z", "aliases":["CVE-2025-48574", "A-428700812"], "details":"In validateAddingWindowLw of DisplayPolicy.java, there is a possible way for an app to intercept drag-and-drop events due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2-next:0"}, {"fixed":"16-qpr2-next:2026-03-01"}]}], "versions":["16-qpr2-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["98752812802073782255665731612229756896", "274262754643115422597428948583922289536", "318731427274930132367561533845173014749", "317343576857372265059508882391318437561"], "threshold":0.9}, "id":"ASB-A-428700812-4705c668", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}}, {"deprecated":false, "digest":{"function_hash":"186755667958182594295730593138560154409", "length":1231}, "id":"ASB-A-428700812-52e0f1fa", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/467b18585de4d1faa80d4b056dd3d69654d16651", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java", "function":"validateAddingWindowLw"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-03-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"29989405332654415831203586040819263246", "length":1929}, "id":"ASB-A-428700812-529ee2cb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java", "function":"validateAddingWindowLw"}}, {"deprecated":false, "digest":{"line_hashes":["98752812802073782255665731612229756896", "274262754643115422597428948583922289536", "148102332571247974663867562405591437184", "117545886929869845745615480157282044347"], "threshold":0.9}, "id":"ASB-A-428700812-fc2ee646", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c33c47731fd942dd54d6cedaa222eadbbade098b", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-03-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"172941894425957385641700590191833076711", "length":1785}, "id":"ASB-A-428700812-eb31c1f3", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java", "function":"validateAddingWindowLw"}}, {"deprecated":false, "digest":{"line_hashes":["98752812802073782255665731612229756896", "274262754643115422597428948583922289536", "318731427274930132367561533845173014749", "317343576857372265059508882391318437561"], "threshold":0.9}, "id":"ASB-A-428700812-f8755ed4", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c63342c195420912e6b2ce30b8a13d435f253a05", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-03-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["98752812802073782255665731612229756896", "274262754643115422597428948583922289536", "148102332571247974663867562405591437184", "117545886929869845745615480157282044347"], "threshold":0.9}, "id":"ASB-A-428700812-65ee588a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java"}}, {"deprecated":false, "digest":{"function_hash":"121505959893738281513223359954111053405", "length":3035}, "id":"ASB-A-428700812-f1c80cbe", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/94a7059e033c4ebb226bc587e23e0abe9a1141ec", "target":{"file":"services/core/java/com/android/server/wm/DisplayPolicy.java", "function":"validateAddingWindowLw"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-03-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/1cfd8237b5a8e9fa64367e3d0dfff525d63821e1"}]}