Skip to main content

SailingLab AppLock CVE-2025-68708

LOW
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-26 mitre
2.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.4 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 27, 2026 - 21:44 vuln.today
CVSS changed
May 27, 2026 - 21:22 NVD
2.4 (LOW)
CVE Published
May 26, 2026 - 00:00 nvd
LOW 2.4
CVE Published
May 26, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

AnalysisAI

PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.

Technical ContextAI

SailingLab AppLock (package com.alpha.applock, version 4.3.8) implements its locking mechanism as an Android WindowManager overlay drawn atop target applications rather than using Android's sanctioned security surfaces such as KeyguardManager, BiometricPrompt, or DevicePolicyManager. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) precisely describes this root cause: the overlay layer can be bypassed by triggering exposed Android Activity or Intent routes - specifically via advertisement intents or browser deep-links - that navigate around the overlay without ever invoking the PIN verification code path. Android's intent system allows third-party apps and browser navigations to launch registered Activity components; if those components are exported or reachable through advertisement SDKs embedded in AppLock, an attacker can redirect the UI flow to a state where the overlay is absent. The CPE entry is listed as n/a in the NVD, meaning the product is not formally catalogued in the National Vulnerability Database's product dictionary, which reduces automated detection coverage for asset inventory tools.

RemediationAI

No vendor-released patch has been identified at time of analysis; no fixed version number is available from the provided intelligence sources. Users should check the Google Play listing (https://play.google.com/store/apps/details?id=com.alpha.applock) for any updates released after version 4.3.8. As a compensating control, users requiring app-level locking should migrate to Android's built-in screen pinning or device administrator features, or use app-locking solutions that integrate with BiometricPrompt and KeyguardManager APIs rather than overlay-based approaches - the trade-off is reduced feature flexibility but a fundamentally more secure authentication path. Disabling the AppLock overlay for individual apps via the app's own settings eliminates the false sense of security without relying on the bypass-prone overlay. On corporate-managed devices, MDM-enforced app restrictions or Android Enterprise work profiles should replace third-party overlay lockers entirely. The researcher disclosure is available at https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 for technical detail.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2025-68708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy