Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible way to reveal images across users due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 14, 15, 16, and 16-qpr2 allows a local attacker with low privileges to reveal images across user boundaries through improper input validation in multiple code locations. The flaw requires user interaction but no additional execution privileges, and carries a CVSS 7.8 (High) rating. EPSS exploitation probability is low at 0.09% (26th percentile), and there is no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability resides in the Android platform (cpe:2.3:a:google:android) across multiple components where input validation is insufficient, enabling cross-user image disclosure. Android enforces per-user data isolation through its multi-user framework and storage sandboxing, so a bypass that exposes images from another user profile constitutes a violation of the platform's fundamental isolation model. Although the CWE is unspecified, the description maps to improper input validation (CWE-20) leading to information disclosure across security boundaries, ultimately resulting in privilege escalation when an attacker leverages the disclosed data within the local user context.
RemediationAI
Patch available per vendor advisory: apply the June 2026 Android security patch level as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01, which addresses CVE-2025-22424 across Android 14, 15, 16, and 16-qpr2 - OEM-specific patched build numbers should be confirmed with the device manufacturer. Until the patch is installed, limit exposure by restricting installation of untrusted applications (the local attacker context this bug requires), avoiding granting storage or media permissions to non-essential apps, and disabling secondary user profiles on shared devices where cross-user image leakage would matter; the trade-off is reduced multi-user functionality and user friction around app installation. Verify NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-22424 and VulDB at https://vuldb.com/vuln/367837 for any updated mitigation guidance.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210008
GHSA-cgw7-gqg5-536h