ASB-A-341680936 — Vulnetix

ASB-A-341680936 PUBLISHED

In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Affected Products

Vendor	Product	Versions
platform	frameworks/base	12, *, 15-next

Timeline

Mar 1, 2025 CVE Published
May 15, 2026 CVE Updated

References

https://source.android.com/security/bulletin/2025-03-01 advisory
https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10 patch

Open in Interactive Console →