{"id":"ASB-A-459461121", "published":"2026-03-01T00:00:00Z", "modified":"2026-04-29T15:10:00.007170452Z", "aliases":["CVE-2026-0023", "A-459461121"], "details":"In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2-next:0"}, {"fixed":"16-qpr2-next:2026-03-01"}]}], "versions":["16-qpr2-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/23ee35e8fd7d7fdc7e18f691ebf8335f663d1d83"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["41902004838178996490532237465305865932", "143238036581852945348745031987847346919", "9317458107723232677728753784285036000", "47305123069438675957799154737432430968"], "threshold":0.9}, "id":"ASB-A-459461121-56bad302", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/23ee35e8fd7d7fdc7e18f691ebf8335f663d1d83", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"171863339250464238922862419271589101398", "length":12730}, "id":"ASB-A-459461121-9c9c4658", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/23ee35e8fd7d7fdc7e18f691ebf8335f663d1d83", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-03-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/a1435a13275c31df38f90f0e2790723a3cb6177a"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"37796899677190441954866605501169629985", "length":11623}, "id":"ASB-A-459461121-99ee6467", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a1435a13275c31df38f90f0e2790723a3cb6177a", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}, {"deprecated":false, "digest":{"line_hashes":["41902004838178996490532237465305865932", "143238036581852945348745031987847346919", "9317458107723232677728753784285036000", "47305123069438675957799154737432430968"], "threshold":0.9}, "id":"ASB-A-459461121-b3204a5e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/a1435a13275c31df38f90f0e2790723a3cb6177a", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-03-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/990428772d4718853382ec4c5feda2b7bd6f923f"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"178650860070716730475537156274966284071", "length":11630}, "id":"ASB-A-459461121-5215247b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/990428772d4718853382ec4c5feda2b7bd6f923f", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}, {"deprecated":false, "digest":{"line_hashes":["41902004838178996490532237465305865932", "143238036581852945348745031987847346919", "9317458107723232677728753784285036000", "47305123069438675957799154737432430968"], "threshold":0.9}, "id":"ASB-A-459461121-97f77f06", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/990428772d4718853382ec4c5feda2b7bd6f923f", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-03-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/49cd29daecbe611bd30dd5869a67c59f3c86ba94"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"185727764426197639498552116118627145496", "length":12548}, "id":"ASB-A-459461121-0387c90b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/49cd29daecbe611bd30dd5869a67c59f3c86ba94", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}, {"deprecated":false, "digest":{"line_hashes":["41902004838178996490532237465305865932", "143238036581852945348745031987847346919", "9317458107723232677728753784285036000", "47305123069438675957799154737432430968"], "threshold":0.9}, "id":"ASB-A-459461121-db4fb67a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/49cd29daecbe611bd30dd5869a67c59f3c86ba94", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-03-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/dc741f73d0dacc0f130deaf57a115354dda55723"], "severity":"High", "spl":"2026-03-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["316075140997206659299517416064537496267", "146474244090829127741070617911961326164", "9317458107723232677728753784285036000", "47305123069438675957799154737432430968"], "threshold":0.9}, "id":"ASB-A-459461121-09545117", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/dc741f73d0dacc0f130deaf57a115354dda55723", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"77325677381202845080436043658672031542", "length":9943}, "id":"ASB-A-459461121-7d130486", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/dc741f73d0dacc0f130deaf57a115354dda55723", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-03-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/09055276288a68cf35b0f84ba32e28822f74ecf9"}]}