{"id":"ASB-A-452010556", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-26T15:22:10.377767615Z", "aliases":["CVE-2026-0061", "A-452010556"], "details":"In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"219547898696826789866437462920609420287", "length":678}, "id":"ASB-A-452010556-cb85155d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"checkPolicyVisibilityChange"}}, {"deprecated":false, "digest":{"function_hash":"138155818687340239248084879561883814677", "length":1263}, "id":"ASB-A-452010556-cbcb4ac4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"show"}}, {"deprecated":false, "digest":{"line_hashes":["132273760158267097983055288787745018694", "47474440456811787385441026627601259867", "242470691432714548066435559718828354906", "56253570038693443920346756364922371372", "165124606163499328616044586147998878597", "156262576093604747735016125120236669588", "192755441024916862262803870834814989812", "327426287910549702753734403691805186519", "121307267217890474450687958466294167117", "124008452490842615502247265697895910966", "166910566218191803577508002129885722568", "203909322426140432772460716763774854065"], "threshold":0.9}, "id":"ASB-A-452010556-d3cc0b9d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"159025997728744761787732655721851653361", "length":977}, "id":"ASB-A-452010556-fb17d557", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/47589e30fe8bd9b8884758985bd23fb25b83a8fe", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-452010556-0614470d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}, {"deprecated":false, "digest":{"line_hashes":["132273760158267097983055288787745018694", "47474440456811787385441026627601259867", "242470691432714548066435559718828354906", "56253570038693443920346756364922371372", "165124606163499328616044586147998878597", "156262576093604747735016125120236669588", "192755441024916862262803870834814989812", "327426287910549702753734403691805186519", "121307267217890474450687958466294167117", "124008452490842615502247265697895910966", "324428782986657472512410250713071903874", "308282977652990622579472355143846589277"], "threshold":0.9}, "id":"ASB-A-452010556-2e2f8729", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"219547898696826789866437462920609420287", "length":678}, "id":"ASB-A-452010556-542f0e18", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"checkPolicyVisibilityChange"}}, {"deprecated":false, "digest":{"function_hash":"295990930738223302744833455286679802854", "length":1073}, "id":"ASB-A-452010556-d36fee16", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/837d1ffa54b637de35558c87dae7d0c155721a43", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"show"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"219547898696826789866437462920609420287", "length":678}, "id":"ASB-A-452010556-4d57f745", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"checkPolicyVisibilityChange"}}, {"deprecated":false, "digest":{"line_hashes":["132273760158267097983055288787745018694", "47474440456811787385441026627601259867", "242470691432714548066435559718828354906", "56253570038693443920346756364922371372", "165124606163499328616044586147998878597", "156262576093604747735016125120236669588", "192755441024916862262803870834814989812", "327426287910549702753734403691805186519", "121307267217890474450687958466294167117", "124008452490842615502247265697895910966", "324428782986657472512410250713071903874", "308282977652990622579472355143846589277"], "threshold":0.9}, "id":"ASB-A-452010556-7d02ecf6", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"295990930738223302744833455286679802854", "length":1073}, "id":"ASB-A-452010556-89986394", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"show"}}, {"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-452010556-f3bd14c2", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/31f2c2486a1af6a3cea4403783978d6544e15d63", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"8161235701582556819583907762950175376", "length":1209}, "id":"ASB-A-452010556-5e4e82a0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"show"}}, {"deprecated":false, "digest":{"function_hash":"159025997728744761787732655721851653361", "length":977}, "id":"ASB-A-452010556-5f240f95", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}, {"deprecated":false, "digest":{"line_hashes":["132273760158267097983055288787745018694", "47474440456811787385441026627601259867", "242470691432714548066435559718828354906", "56253570038693443920346756364922371372", "165124606163499328616044586147998878597", "156262576093604747735016125120236669588", "192755441024916862262803870834814989812", "327426287910549702753734403691805186519", "121307267217890474450687958466294167117", "124008452490842615502247265697895910966", "166910566218191803577508002129885722568", "203909322426140432772460716763774854065"], "threshold":0.9}, "id":"ASB-A-452010556-697d3d98", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"219547898696826789866437462920609420287", "length":678}, "id":"ASB-A-452010556-ba3acbc3", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/2f94bab50c57d490c9d4597d0c077e7610200c71", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"checkPolicyVisibilityChange"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"219547898696826789866437462920609420287", "length":678}, "id":"ASB-A-452010556-39caf7e4", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"checkPolicyVisibilityChange"}}, {"deprecated":false, "digest":{"function_hash":"295990930738223302744833455286679802854", "length":1073}, "id":"ASB-A-452010556-4247b1ca", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"show"}}, {"deprecated":false, "digest":{"line_hashes":["189797230159533773981665047340823514841", "29852250565518537273863339087482042728", "177333664150954540924630996645953050901", "260092212136069913281304572642024478635", "165124606163499328616044586147998878597", "156262576093604747735016125120236669588", "192755441024916862262803870834814989812", "327426287910549702753734403691805186519", "121307267217890474450687958466294167117", "124008452490842615502247265697895910966", "324428782986657472512410250713071903874", "308282977652990622579472355143846589277"], "threshold":0.9}, "id":"ASB-A-452010556-97783533", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-452010556-af2902e5", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e58fd9cd11e400235ac480b4fba6a20f8161ff9b", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/4518f78f8b34510a1329c60dc5e0b018f015a6e3"}]}