Skip to main content

Google Android CVE-2025-48649

| EUVDEUVD-2025-210016 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-01 google_android GHSA-rh6r-gg6r-2qxc
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:25 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android versions 14, 15, 16, and 16-qpr2 allows a malicious app to reset user-selected permission choices by bypassing the permission enforcement logic (CWE-693, Protection Mechanism Failure). The flaw requires no user interaction and only low privileges already available to any installed app, but at present there is no public exploit identified at time of analysis and EPSS rates real-world exploitation probability at just 0.01%.

Technical ContextAI

Android's runtime permission model is the security boundary that gates access to sensitive APIs such as location, microphone, camera, contacts, and storage. CWE-693 (Protection Mechanism Failure) indicates the bug is not a memory corruption or logic crash but a failure of the permission enforcement layer itself: the platform's permission state, which is supposed to reflect what the user explicitly granted or denied, can be reset across multiple code paths because the checks that should guard those resets are absent or circumventable. The affected component, identified via CPE cpe:2.3:a:google:android:*, is the platform itself (AOSP framework / PermissionController) rather than a single OEM build, which means downstream device vendors all inherit the issue until they pick up the June 2026 Android Security Bulletin patch.

RemediationAI

Apply the patch published in the Android Security Bulletin dated 2026-06-01 (https://source.android.com/docs/security/bulletin/2026/2026-06-01); patch available per vendor advisory, with the fix delivered through the standard monthly security patch level on Pixel and through OEM updates for third-party devices. On managed fleets, enforce a minimum SecurityPatchLevel via MDM (Android Enterprise's setRequiredPasswordComplexity / device compliance policies) so devices below the June 2026 patch level lose access to corporate resources; the trade-off is user friction on OEMs slow to ship patches. Until devices are patched, restrict sideloading by disabling 'Install unknown apps' for all sources and require apps to come from Google Play or a vetted enterprise store, since exploitation requires a malicious app already running on the device - this reduces but does not eliminate risk because Play-distributed apps have historically carried malware. Consider Google Play Protect being enabled (default on GMS devices) as a partial compensating control while patches roll out.

Share

CVE-2025-48649 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy