Skip to main content

Google Android CVE-2025-48570

| EUVDEUVD-2025-210012 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-06-01 google_android GHSA-hfff-23qp-388w
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:24 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 14's PipTaskOrganizer component allows a low-privileged app to launch activities from the background by abusing a confused deputy condition, requiring no user interaction. The CVSS 7.8 (AV:L/AC:L/PR:L) reflects local attack vector with low privileges, and per the available data there is no public exploit identified at time of analysis (EPSS 0.01%, not on CISA KEV).

Technical ContextAI

The flaw resides in multiple functions of PipTaskOrganizer.java, the Android system component responsible for orchestrating Picture-in-Picture (PiP) windowed tasks within WindowManager/SystemUI. CWE-441 (Unintended Proxy or Intermediary, the 'confused deputy' class) indicates a more privileged system service performs an action on behalf of a less-privileged caller without adequately verifying the caller's authority, in this case allowing background activity launches that Android's Background Activity Launch (BAL) restrictions are specifically designed to prevent.

RemediationAI

Apply the Android June 2026 security patch level (SPL 2026-06-01) or later as published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; on Pixel devices this arrives via OTA, while other OEMs ship the same AOSP patch in their monthly rollups on their own cadence. Where the June 2026 SPL is not yet available for a given device, compensating controls are limited to user-side hygiene: avoid sideloading apps, keep Google Play Protect enabled, and restrict installation of apps requesting PiP or overlay-adjacent permissions - note these controls do not block a malicious app that has already been installed, so patching remains the only reliable fix. No standalone configuration toggle disables PipTaskOrganizer without breaking PiP functionality across the system.

Share

CVE-2025-48570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy