Skip to main content

Google Android CVE-2025-22424

| EUVDEUVD-2025-210008 HIGH
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-cgw7-gqg5-536h
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 19:07 vuln.today
CVSS changed
Jun 02, 2026 - 19:07 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple locations, there is a possible way to reveal images across users due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 14, 15, 16, and 16-qpr2 allows a local attacker with low privileges to reveal images across user boundaries through improper input validation in multiple code locations. The flaw requires user interaction but no additional execution privileges, and carries a CVSS 7.8 (High) rating. EPSS exploitation probability is low at 0.09% (26th percentile), and there is no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability resides in the Android platform (cpe:2.3:a:google:android) across multiple components where input validation is insufficient, enabling cross-user image disclosure. Android enforces per-user data isolation through its multi-user framework and storage sandboxing, so a bypass that exposes images from another user profile constitutes a violation of the platform's fundamental isolation model. Although the CWE is unspecified, the description maps to improper input validation (CWE-20) leading to information disclosure across security boundaries, ultimately resulting in privilege escalation when an attacker leverages the disclosed data within the local user context.

RemediationAI

Patch available per vendor advisory: apply the June 2026 Android security patch level as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01, which addresses CVE-2025-22424 across Android 14, 15, 16, and 16-qpr2 - OEM-specific patched build numbers should be confirmed with the device manufacturer. Until the patch is installed, limit exposure by restricting installation of untrusted applications (the local attacker context this bug requires), avoiding granting storage or media permissions to non-essential apps, and disabling secondary user profiles on shared devices where cross-user image leakage would matter; the trade-off is reduced multi-user functionality and user friction around app installation. Verify NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-22424 and VulDB at https://vuldb.com/vuln/367837 for any updated mitigation guidance.

Share

CVE-2025-22424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy