How to fix CVE-2025-48654?

Within 24 hours: Inventory all Android devices running versions up to 16.0 in your environment and restrict their access to sensitive corporate systems and data. Within 7 days: Disable non-essential features on affected devices, enforce mobile device management (MDM) restrictions including disabling sideloading and developer mode, and communicate risk to device users. Within 30 days: Establish a vendor communication plan to track patch availability, evaluate device replacement or upgrade strategies for critical users, and conduct security awareness training on the risks of local privilege escalation.

Is Android affected by CVE-2025-48654?

A high-severity privilege escalation vulnerability affects Android devices up to version 16.0, allowing local attackers to gain elevated system access without requiring special permissions.

CVE-2025-48654

HIGH

2026-03-02 [email protected]

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 02, 2026 - 19:16 nvd

HIGH 7.8

Description

In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Analysis

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).

Technical Context

affects Android. In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor: Google. Product: Android. Versions: up to 16.0.

Remediation

Monitor vendor advisories for a patch.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

CVE-2025-48654 vulnerability details – vuln.today

Back

CVE-2025-48654

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-48654

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code