CVE-2025-48651

| EUVD-2025-209235 MEDIUM
2026-04-06 google_android GHSA-9wq4-qr6w-vc44
5.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 19:00 euvd
EUVD-2025-209235
CVE Published
Apr 06, 2026 - 18:20 nvd
MEDIUM 5.5

Tags

Information Disclosure

Description

N/A

Analysis

Information disclosure in Google Android allows local authenticated users to read sensitive data from system memory via local file access, achieving high confidentiality impact with low attack complexity. The vulnerability affects Android System-on-Chip (SoC) implementations across multiple versions. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the moderate CVSS 5.5 rating, suggesting this is a low-priority issue in practice.

Technical Context

This vulnerability resides in Android's system-level access controls, likely involving improper permission enforcement or information leakage through a local interface accessible to authenticated users. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates the attack surface is limited to local access on the device and requires low-privilege user authentication, with no user interaction necessary. The issue affects Android System-on-Chip implementations broadly, suggesting the flaw may exist in vendor-supplied SoC drivers or firmware integration layers rather than core Android framework code. CWE data is not available, but the Information Disclosure classification and high confidentiality impact (C:H) point to a memory-access or file-permission weakness allowing unauthorized reads of sensitive data.

Affected Products

Google Android across all affected versions listed in the Android SoC vulnerability bulletin, with coverage indicated by the generic Android CPE (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*). The specific SoC and version granularity is not independently specified in the provided data; detailed affected device models and Android version ranges are located in the official Android security bulletin at https://source.android.com/security/bulletin/2026-04-01 and the NVD advisory at https://source.android.com/docs/security/bulletin/2026/2026-04-01.

Remediation

Apply the security patch released in the April 2026 Android security bulletin available at https://source.android.com/security/bulletin/2026-04-01. Users should check their device manufacturer's update availability, as patches are typically delivered through over-the-air (OTA) updates or manual firmware installation specific to each device model and SoC variant. The generic nature of the CPE suggests patch timing may vary by device manufacturer and carrier; consult the official Android security bulletin and your device vendor's advisory for exact patched firmware versions and rollout timelines.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

CVE-2025-48651 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy