{"id":"ASB-A-463364410", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-12T15:08:17.296522730Z", "aliases":["CVE-2026-0048", "A-463364410"], "details":"In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["213056150204855974978108011784885620547", "65666995771609329779778236334220027558", "102126945982789904211617090980218355191", "26346426303184886208092506844304388318"], "threshold":0.9}, "id":"ASB-A-463364410-7caf608d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"159025997728744761787732655721851653361", "length":977}, "id":"ASB-A-463364410-cb760fcc", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0246ce8a4eafb042885ae212cf503285b4cd91c6", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["213056150204855974978108011784885620547", "65666995771609329779778236334220027558", "102126945982789904211617090980218355191", "26346426303184886208092506844304388318"], "threshold":0.9}, "id":"ASB-A-463364410-37a1510f", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}, {"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-463364410-a49b8cbb", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/628b977e0ed69724c9d525d085a56d4c5240b735", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-463364410-558545b0", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}, {"deprecated":false, "digest":{"line_hashes":["213056150204855974978108011784885620547", "65666995771609329779778236334220027558", "102126945982789904211617090980218355191", "26346426303184886208092506844304388318"], "threshold":0.9}, "id":"ASB-A-463364410-bfe0a35e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e0fc0b9962498477378d18d7799c1339b0bdf1e5", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"159025997728744761787732655721851653361", "length":977}, "id":"ASB-A-463364410-0c635a62", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}, {"deprecated":false, "digest":{"line_hashes":["213056150204855974978108011784885620547", "65666995771609329779778236334220027558", "102126945982789904211617090980218355191", "26346426303184886208092506844304388318"], "threshold":0.9}, "id":"ASB-A-463364410-a9dcd95d", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/0bd3fadc1852775b9c87e6836ca56b175b179a38", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"142158782823989243623119978438196278745", "length":861}, "id":"ASB-A-463364410-6bf1843f", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java", "function":"hide"}}, {"deprecated":false, "digest":{"line_hashes":["213056150204855974978108011784885620547", "65666995771609329779778236334220027558", "102126945982789904211617090980218355191", "26346426303184886208092506844304388318"], "threshold":0.9}, "id":"ASB-A-463364410-8e2ee10a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/6ca1d6b26237d3f1ae0dac23e5f4bb487b23bf93", "target":{"file":"services/core/java/com/android/server/wm/WindowState.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/36a774d7239923d0ef16ae5f51b87fb132e2bbb9"}]}