{"id":"ASB-A-443272513", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-26T15:22:10.377767615Z", "aliases":["CVE-2026-0046", "A-443272513"], "details":"In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/daeb32e593578f5edb90dfde6de793ab25839d6b"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["251810169675144913831381873925444749318", "115688420652216939231520039948728229678", "317524578787033404370470961539721797341", "253948753883947366904399532474829523384", "35003462641067813379285174155277925459"], "threshold":0.9}, "id":"ASB-A-443272513-cf94711a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/daeb32e593578f5edb90dfde6de793ab25839d6b", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java"}}, {"deprecated":false, "digest":{"function_hash":"192360108082157362829441649745300773559", "length":929}, "id":"ASB-A-443272513-e7041f7f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/daeb32e593578f5edb90dfde6de793ab25839d6b", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java", "function":"InputInterceptor"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/43e53be21c7d0124d91c17c99e0b62f63954ef97"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["39547778838291542414970788317529234735", "318254678090900584378963063527244382987", "317524578787033404370470961539721797341", "338403049834305913493798899405594738983", "5954312065647515710136481307528376572"], "threshold":0.9}, "id":"ASB-A-443272513-a7515518", "match_only_versions":["16"], "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/43e53be21c7d0124d91c17c99e0b62f63954ef97", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java"}}, {"deprecated":false, "digest":{"function_hash":"303054201903813612624441790066388656647", "length":1057}, "id":"ASB-A-443272513-c1595145", "match_only_versions":["16"], "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/43e53be21c7d0124d91c17c99e0b62f63954ef97", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java", "function":"InputInterceptor"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/7f293f09fa57aa3904d27363bb373a4f28bfee03"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["251810169675144913831381873925444749318", "115688420652216939231520039948728229678", "317524578787033404370470961539721797341", "253948753883947366904399532474829523384", "35003462641067813379285174155277925459"], "threshold":0.9}, "id":"ASB-A-443272513-5d7739e6", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/7f293f09fa57aa3904d27363bb373a4f28bfee03", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java"}}, {"deprecated":false, "digest":{"function_hash":"189509867493529149422764477248739557943", "length":892}, "id":"ASB-A-443272513-9c95ad47", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/7f293f09fa57aa3904d27363bb373a4f28bfee03", "target":{"file":"services/core/java/com/android/server/wm/Letterbox.java", "function":"InputInterceptor"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/678475b0c23cd3edc527b0b21e42fbafc028ee1a"}]}