Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
N/A
AnalysisAI
Information disclosure in Google Android allows local authenticated users to read sensitive data from system memory via local file access, achieving high confidentiality impact with low attack complexity. The vulnerability affects Android System-on-Chip (SoC) implementations across multiple versions. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the moderate CVSS 5.5 rating, suggesting this is a low-priority issue in practice.
Technical ContextAI
This vulnerability resides in Android's system-level access controls, likely involving improper permission enforcement or information leakage through a local interface accessible to authenticated users. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates the attack surface is limited to local access on the device and requires low-privilege user authentication, with no user interaction necessary. The issue affects Android System-on-Chip implementations broadly, suggesting the flaw may exist in vendor-supplied SoC drivers or firmware integration layers rather than core Android framework code. CWE data is not available, but the Information Disclosure classification and high confidentiality impact (C:H) point to a memory-access or file-permission weakness allowing unauthorized reads of sensitive data.
RemediationAI
Apply the security patch released in the April 2026 Android security bulletin available at https://source.android.com/security/bulletin/2026-04-01. Users should check their device manufacturer's update availability, as patches are typically delivered through over-the-air (OTA) updates or manual firmware installation specific to each device model and SoC variant. The generic nature of the CPE suggests patch timing may vary by device manufacturer and carrier; consult the official Android security bulletin and your device vendor's advisory for exact patched firmware versions and rollout timelines.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209235
GHSA-9wq4-qr6w-vc44