Skip to main content

Google Android CVE-2025-32348

| EUVDEUVD-2025-210011 HIGH
Incorrect Authorization (CWE-863)
2026-06-01 google_android GHSA-cr9g-295j-fq2w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:24 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to launch background activities without the required permission check, enabling elevation to higher-privileged execution contexts without user interaction. The flaw, tracked as EUVD-2025-210011 and addressed in the June 2026 Android Security Bulletin, carries a CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N) with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and EPSS is 0.01%, indicating very low predicted exploitation probability in the near term.

Technical ContextAI

The issue resides in Android's activity lifecycle controls, specifically in the background activity launch (BAL) restrictions that Android has progressively tightened since Android 10 to prevent malicious apps from displaying UI or executing code in privileged contexts while not in the foreground. According to the description, multiple code paths fail to perform a permission check before allowing a background activity launch, which is functionally a missing authorization (CWE-862 class, though CWE is listed as N/A in the input). The affected CPE is cpe:2.3:a:google:android (framework/platform component), spanning Android 14 through 16-qpr2, suggesting the regression or oversight exists across several major platform releases and was likely identified during internal review or external researcher disclosure feeding into the AOSP security bulletin process.

RemediationAI

Apply the Android June 2026 security patch level (2026-06-01 or later) as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01 - this is the vendor-released patch path for Android 14, 15, 16, and 16-qpr2. For managed fleets, enforce SPL >= 2026-06-01 via MDM compliance policies (Android Enterprise, Intune, Workspace ONE) and block enrollment of devices below this level. Until OEM patches arrive, compensating controls are limited because the flaw is in platform code; reduce risk by restricting sideloading via Play Protect enforcement and Google Play-only install policies, auditing installed apps with the BIND_ACCESSIBILITY_SERVICE or activity-launching capabilities, and on managed devices disabling 'Install unknown apps' - note these reduce but do not eliminate exposure from a malicious app already permitted to run.

Share

CVE-2025-32348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy