CVE-2025-26452 — Confused Deputy in Frameworks Base

Vendor	Product	Version range	Fixed in
google	android	—	—
google	android	—	—
google	android	—	—
google	android	—	—
google	android	—	—
platform	frameworks_base	>= 14:0 < 14:2025-06-01	14:2025-06-01
platform	frameworks_base	>= 15:0 < 15:2025-06-01	15:2025-06-01
platform	frameworks_base	>= 16-next:0 < 16-next:2025-06-01	16-next:2025-06-01

GHSA

GHSA-m7v8-2w49-4w9x: In loadDrawableForCookie of ResourcesImpl

ghsa_unreviewed·2025-09-05

CVE-2025-26452 [HIGH] CWE-441 GHSA-m7v8-2w49-4w9x: In loadDrawableForCookie of ResourcesImpl In loadDrawableForCookie of ResourcesImpl.java, there is a possible way to access task snapshots of other apps due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

OSV

CVE-2025-26452: In loadDrawableForCookie of ResourcesImpl

osv·2025-06-01

CVE-2025-26452 CVE-2025-26452: In loadDrawableForCookie of ResourcesImpl In loadDrawableForCookie of ResourcesImpl.java, there is a possible way to access task snapshots of other apps due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Android

CVE-2025-26452: Android Security Bulletin 2025-06-01 CVE: CVE-2025-26452 Severity: HIGH Type: EoP Affected AOSP versions: 14, 15 References: A-383080440

vendor_android·2025-06-01·CVSS 7.8

CVE-2025-26452 [HIGH] CVE-2025-26452: Android Security Bulletin 2025-06-01 CVE: CVE-2025-26452 Severity: HIGH Type: EoP Affected AOSP versions: 14, 15 References: A-383080440 Android Security Bulletin 2025-06-01 CVE: CVE-2025-26452 Severity: HIGH Type: EoP Affected AOSP versions: 14, 15 References: A-383080440

CVE-2025-26452: In loadDrawableForCookie of ResourcesImpl.java, there is a possible way to access task snapshots of other apps due to a confused deputy. This could lead to…

Affected