{"id":"ASB-A-436270922", "published":"2025-12-01T00:00:00Z", "modified":"2026-04-03T15:37:31.002635057Z", "aliases":["CVE-2025-48597", "A-436270922"], "details":"In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2-next:0"}, {"fixed":"16-qpr2-next:2025-12-01"}]}], "versions":["16-qpr2-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3b93cc4b524cc9448b95b3d9f675de92c02dbf2e", "https://android.googlesource.com/platform/frameworks/base/+/14855406edca11c5c31fda254aa69a31a1e0ce30"], "severity":"High", "spl":"2025-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"269355651945343595197839068460635173500", "length":408}, "id":"ASB-A-436270922-1b451ead", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3b93cc4b524cc9448b95b3d9f675de92c02dbf2e", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java", "function":"notifyActivityPipModeChanged"}}, {"deprecated":false, "digest":{"line_hashes":["45269193718133096038878864473633241749", "206492354869348673981360359428897550878", "170507810833751271277044883124400425693"], "threshold":0.9}, "id":"ASB-A-436270922-2063fdf3", "match_only_versions":["16-qpr2-next"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14855406edca11c5c31fda254aa69a31a1e0ce30", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip2/phone/PipTransition.java"}}, {"deprecated":false, "digest":{"line_hashes":["336128329414041485986785255850020134500", "98746842833269232625286632026646747239", "135831473560971872199272490872388670048", "181969565180608064734092194822490968042", "64258122971730289070552315897742036470", "10679521965982889797257418100013007925", "209286122155663749117684017571276974824", "325172720954672710133451867413646258794", "193561856278356899081136415864671572432", "25366311734093193200365497717914830895", "39115753259643863982849258164232459802"], "threshold":0.9}, "id":"ASB-A-436270922-4334f258", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3b93cc4b524cc9448b95b3d9f675de92c02dbf2e", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java"}}, {"deprecated":false, "digest":{"line_hashes":["86821652810729998457853978565073637584", "171709855734297732412454876107829838571", "223606371554482717259896023003373584734", "202474807253581810443519112026049002960", "164160144152695512777835565013146156813", "214747920891350396742533930455975626802", "335689480049552677066318057960370594042", "309806977546281634943598961424576444127", "5189011044936290452050350654056291661", "58959286261397950994563372920528278728", "187020830031330811808011884886701070846"], "threshold":0.9}, "id":"ASB-A-436270922-73957961", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3b93cc4b524cc9448b95b3d9f675de92c02dbf2e", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}, {"deprecated":false, "digest":{"function_hash":"37138397101098744028833508653506122862", "length":2288}, "id":"ASB-A-436270922-da02464c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/14855406edca11c5c31fda254aa69a31a1e0ce30", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip2/phone/PipTransition.java", "function":"startAnimation"}}, {"deprecated":false, "digest":{"function_hash":"142207781644685433243381974982607573514", "length":2711}, "id":"ASB-A-436270922-e9bd8d7f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3b93cc4b524cc9448b95b3d9f675de92c02dbf2e", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"onFinishResize"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2025-12-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/8a84266ada6944eff7e5c73bdee3caefda364bf3"], "severity":"High", "spl":"2025-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["336128329414041485986785255850020134500", "98746842833269232625286632026646747239", "135831473560971872199272490872388670048", "181969565180608064734092194822490968042", "64258122971730289070552315897742036470", "10679521965982889797257418100013007925", "209286122155663749117684017571276974824", "325172720954672710133451867413646258794", "193561856278356899081136415864671572432", "25366311734093193200365497717914830895", "39115753259643863982849258164232459802"], "threshold":0.9}, "id":"ASB-A-436270922-39420ab9", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8a84266ada6944eff7e5c73bdee3caefda364bf3", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java"}}, {"deprecated":false, "digest":{"line_hashes":["325238723818591138230746093925030823060", "11468906281860857246420380433838332081", "223606371554482717259896023003373584734", "202474807253581810443519112026049002960", "208232867089415725152232765778604265836", "83198230257777703797970114132038691945", "180106765281153805190498535982322501001", "312342585698781370468703070961435147610", "58959286261397950994563372920528278728", "187020830031330811808011884886701070846"], "threshold":0.9}, "id":"ASB-A-436270922-3c6349f0", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8a84266ada6944eff7e5c73bdee3caefda364bf3", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}, {"deprecated":false, "digest":{"function_hash":"269355651945343595197839068460635173500", "length":408}, "id":"ASB-A-436270922-befde376", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8a84266ada6944eff7e5c73bdee3caefda364bf3", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java", "function":"notifyActivityPipModeChanged"}}, {"deprecated":false, "digest":{"function_hash":"263954588701517194190808501073468744114", "length":2443}, "id":"ASB-A-436270922-d8a11b8a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/8a84266ada6944eff7e5c73bdee3caefda364bf3", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"onFinishResize"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2025-12-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/492b6ca4f31e79d9fced383a59957234aef8f8dc"], "severity":"High", "spl":"2025-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["86821652810729998457853978565073637584", "171709855734297732412454876107829838571", "223606371554482717259896023003373584734", "202474807253581810443519112026049002960", "164160144152695512777835565013146156813", "214747920891350396742533930455975626802", "335689480049552677066318057960370594042", "309806977546281634943598961424576444127", "5189011044936290452050350654056291661", "58959286261397950994563372920528278728", "187020830031330811808011884886701070846"], "threshold":0.9}, "id":"ASB-A-436270922-093e600e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/492b6ca4f31e79d9fced383a59957234aef8f8dc", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}, {"deprecated":false, "digest":{"function_hash":"269355651945343595197839068460635173500", "length":408}, "id":"ASB-A-436270922-21d732b3", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/492b6ca4f31e79d9fced383a59957234aef8f8dc", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java", "function":"notifyActivityPipModeChanged"}}, {"deprecated":false, "digest":{"line_hashes":["336128329414041485986785255850020134500", "98746842833269232625286632026646747239", "135831473560971872199272490872388670048", "181969565180608064734092194822490968042", "64258122971730289070552315897742036470", "10679521965982889797257418100013007925", "209286122155663749117684017571276974824", "325172720954672710133451867413646258794", "193561856278356899081136415864671572432", "25366311734093193200365497717914830895", "39115753259643863982849258164232459802"], "threshold":0.9}, "id":"ASB-A-436270922-6abe3427", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/492b6ca4f31e79d9fced383a59957234aef8f8dc", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java"}}, {"deprecated":false, "digest":{"function_hash":"142207781644685433243381974982607573514", "length":2711}, "id":"ASB-A-436270922-fad25ddd", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/492b6ca4f31e79d9fced383a59957234aef8f8dc", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"onFinishResize"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2025-12-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0133713fb2684414f6bc8013c1da8753721281a5"], "severity":"High", "spl":"2025-12-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"202453949181807330055068513652009895444", "length":368}, "id":"ASB-A-436270922-44509d31", "match_only_versions":["14"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0133713fb2684414f6bc8013c1da8753721281a5", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java", "function":"notifyActivityPipModeChanged"}}, {"deprecated":false, "digest":{"line_hashes":["325238723818591138230746093925030823060", "11468906281860857246420380433838332081", "223606371554482717259896023003373584734", "202474807253581810443519112026049002960", "208232867089415725152232765778604265836", "83198230257777703797970114132038691945", "180106765281153805190498535982322501001", "312342585698781370468703070961435147610", "58959286261397950994563372920528278728", "274271080951936779992325168467118112429"], "threshold":0.9}, "id":"ASB-A-436270922-717e7b8f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0133713fb2684414f6bc8013c1da8753721281a5", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java"}}, {"deprecated":false, "digest":{"function_hash":"279650020036421659054114654503913821380", "length":1717}, "id":"ASB-A-436270922-9afee58d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0133713fb2684414f6bc8013c1da8753721281a5", "target":{"file":"libs/WindowManager/Shell/src/com/android/wm/shell/pip/PipTransition.java", "function":"onFinishResize"}}, {"deprecated":false, "digest":{"line_hashes":["336128329414041485986785255850020134500", "98746842833269232625286632026646747239", "135831473560971872199272490872388670048", "215833453547536518502281781583930079882", "166030460925734169630915997536057336442", "299637781764851204431773791829786640460", "325172720954672710133451867413646258794", "315073648038566226938144418853880936637", "221578477654262899328120638092141255070"], "threshold":0.9}, "id":"ASB-A-436270922-f0f143b1", "match_only_versions":["14"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0133713fb2684414f6bc8013c1da8753721281a5", "target":{"file":"services/core/java/com/android/server/wm/RootWindowContainer.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2025-12-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/68170bad52250399d2e4a1a8023a3e7aeda1887d"}]}