Skip to main content

Android CVE-2025-48652

| EUVDEUVD-2025-210017 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-01 google_android GHSA-92cc-jfh8-g56m
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:25 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In performPreInstallChecks of InstallRepository.kt, there is a possible way to bypass MDM policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Android 15, 16, and 16-qpr2 enables a low-privileged process to bypass Mobile Device Management (MDM) policy controls through a logic error in the InstallRepository.kt performPreInstallChecks function. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%, but the flaw permits silent policy circumvention without user interaction on enterprise-managed devices. Patched in the June 2026 Android Security Bulletin.

Technical ContextAI

The vulnerability resides in InstallRepository.kt, part of the Android PackageInstaller component responsible for validating application installations against device policy. The performPreInstallChecks function is intended to evaluate whether a proposed install is permitted under active MDM (Device Owner / Profile Owner) restrictions configured through DevicePolicyManager. CWE-693 (Protection Mechanism Failure) characterizes the root cause: a logic error in this check allows the protective control to be evaded rather than failing closed. Per the CPE (cpe:2.3:a:google:android:*) and EUVD affected-versions data, this affects Google Android 15, 16, and 16-qpr2 across the AOSP install pipeline.

RemediationAI

Apply the June 2026 Android Security Bulletin patch level (2026-06-01 or later) via OEM OTA updates as soon as it is offered for affected devices; the fix is published at https://source.android.com/docs/security/bulletin/2026/2026-06-01 and the patch is available per vendor advisory. Enterprises managing fleets via EMM/MDM should track per-OEM rollout, prioritize devices on Android 15, 16, and 16-qpr2, and use MDM compliance rules to flag or quarantine devices whose security patch level is older than 2026-06-01. As a compensating control until patched, restrict installation sources by disabling 'Install unknown apps' for all user profiles via DevicePolicyManager (UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES) and limit physical/USB/ADB access (set DISALLOW_DEBUGGING_FEATURES) - these reduce the local foothold needed but will block sideloading workflows some users depend on.

Share

CVE-2025-48652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy