{"id":"ASB-A-368319929","details":"In parseHtml of HtmlToSpannedParser.java, there is a possible way to install apps without allowing installation from unknown sources due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-368319929","CVE-2025-26443"],"modified":"2026-03-11T06:32:09.480960Z","published":"2025-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/69a363847696f6f79f81038cad03c7950bc82054"}],"affected":[{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-06-01"}]}],"versions":["16-next"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/0eb898e8737fe208d48812cfa45bad243deea55e"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/0eb898e8737fe208d48812cfa45bad243deea55e","target":{"file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Line","digest":{"line_hashes":["238110224483519208715874075044440318371","208829958817704955059987860954581187486","253917135026050978917009288666732918307","325713891578664070558632078703955481539","321248701237613253963258772152475489452","204194112767795491220064057337161086957","4583501986742992134235176134695425300","135985893448324174782556650846740488832","104719656400448530773207274353833270126","274217612757608636518308689046642569688","67166614523613521218711957331509930352"],"threshold":0.9},"id":"ASB-A-368319929-20a435dc","signature_version":"v1"},{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/0eb898e8737fe208d48812cfa45bad243deea55e","target":{"function":"parseHtml","file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Function","digest":{"function_hash":"124269671373407116152009062505619559059","length":590},"id":"ASB-A-368319929-8db1d532","signature_version":"v1"}],"spl":"2025-06-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-368319929.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2025-06-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f6ffc1df5407791f3f23b535eb97663694bdf380"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f6ffc1df5407791f3f23b535eb97663694bdf380","target":{"function":"parseHtml","file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Function","digest":{"function_hash":"124269671373407116152009062505619559059","length":590},"id":"ASB-A-368319929-1d553ccd","signature_version":"v1"},{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/f6ffc1df5407791f3f23b535eb97663694bdf380","target":{"file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Line","digest":{"line_hashes":["238110224483519208715874075044440318371","208829958817704955059987860954581187486","253917135026050978917009288666732918307","325713891578664070558632078703955481539","321248701237613253963258772152475489452","204194112767795491220064057337161086957","4583501986742992134235176134695425300","135985893448324174782556650846740488832","104719656400448530773207274353833270126","274217612757608636518308689046642569688","67166614523613521218711957331509930352"],"threshold":0.9},"id":"ASB-A-368319929-7d7d9a3e","signature_version":"v1"}],"spl":"2025-06-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-368319929.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2025-06-01"}]}],"versions":["13"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/38ea726daf6a6d33889ac1225372c8a4786fbfb6"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/38ea726daf6a6d33889ac1225372c8a4786fbfb6","target":{"function":"parseHtml","file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Function","digest":{"function_hash":"124269671373407116152009062505619559059","length":590},"id":"ASB-A-368319929-20920a58","signature_version":"v1"},{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/38ea726daf6a6d33889ac1225372c8a4786fbfb6","target":{"file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Line","digest":{"line_hashes":["238110224483519208715874075044440318371","208829958817704955059987860954581187486","253917135026050978917009288666732918307","325713891578664070558632078703955481539","321248701237613253963258772152475489452","204194112767795491220064057337161086957","4583501986742992134235176134695425300","135985893448324174782556650846740488832","104719656400448530773207274353833270126","274217612757608636518308689046642569688","67166614523613521218711957331509930352"],"threshold":0.9},"id":"ASB-A-368319929-70a1152f","signature_version":"v1"}],"spl":"2025-06-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-368319929.json"}},{"package":{"name":"platform/packages/apps/ManagedProvisioning","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2025-06-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/fb3ac24b0cf78beb735c47316b73133a255c957d"],"types":["EoP"],"vanir_signatures":[{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/fb3ac24b0cf78beb735c47316b73133a255c957d","target":{"file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Line","digest":{"line_hashes":["238110224483519208715874075044440318371","208829958817704955059987860954581187486","253917135026050978917009288666732918307","325713891578664070558632078703955481539","321248701237613253963258772152475489452","204194112767795491220064057337161086957","4583501986742992134235176134695425300","135985893448324174782556650846740488832","104719656400448530773207274353833270126","274217612757608636518308689046642569688","67166614523613521218711957331509930352"],"threshold":0.9},"id":"ASB-A-368319929-1482346e","signature_version":"v1"},{"deprecated":false,"source":"https://googleplex-android.googlesource.com/platform/packages/apps/ManagedProvisioning/+/fb3ac24b0cf78beb735c47316b73133a255c957d","target":{"function":"parseHtml","file":"src/com/android/managedprovisioning/common/HtmlToSpannedParser.java"},"signature_type":"Function","digest":{"function_hash":"124269671373407116152009062505619559059","length":590},"id":"ASB-A-368319929-b5de9806","signature_version":"v1"}],"spl":"2025-06-01","severity":"High"},"database_specific":{"source":"https://storage.googleapis.com/android-osv-test/ASB-A-368319929.json"}}],"schema_version":"1.7.5"}