Skip to content

canyie/TransitionPlayer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This issue has been fixed for Android 14+ in June 2026 Android Security Bulletin. Click here to see the patch

Writeup

TODO

I'll complete the writeup when I got a little free time

But before that I have to fight against school work and exams

Test

Build the project, install generated apk file (if you use the Run button inside Android Studio, turn on "Always install with package manager")

Run the following command on PC

adb shell app_process '-Djava.class.path=$(pm path top.canyie.transitionplayer | cut -c9-) /system/bin top.canyie.transitionplayer.Main'

Then launch an arbitrary app by tapping its icon from the launcher

A notification should be sent from the launcher app, and if you are on Android 14+, a fabricated overlay will be injected into the system, so adb shell cmd overlay lookup android android:integer/config_multiuserMaximumUsers should return 100

Fixes

About

CVE-2026-0091, play with an issue in android window management to perform arbitrary code execution in Launcher process from adb

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages