Skip to main content

Google Android EUVDEUVD-2025-210216

| CVE-2025-48643 HIGH
Improper Input Validation (CWE-20)
2026-06-17 google_android
7.8
CVSS 3.1 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local app context required (AV:L, PR:L), no user interaction (UI:N), provisioning bypass yields full system-level control so C/I/A all High; scope unchanged within Android security model.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 18, 2026 - 04:53 vuln.today
CVSS changed
Jun 18, 2026 - 04:52 NVD
7.8 (HIGH)
CVE Published
Jun 17, 2026 - 05:53 cve.org
HIGH 7.8
CVE Published
Jun 17, 2026 - 05:53 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 17 stems from improper input validation across multiple code paths that allows a low-privileged app or local user to bypass provisioning controls and gain elevated privileges without user interaction. No public exploit identified at time of analysis, and the EPSS score of 0.13% (3rd percentile) reflects no observed exploitation activity, though the CVSS 7.8 reflects the high impact once preconditions are met.

Technical ContextAI

The flaw is rooted in CWE-20 (Improper Input Validation) within Android's provisioning subsystem, which governs device setup, work-profile/device-owner enrollment, and related configuration flows. Because the issue is described as occurring 'in multiple locations,' the underlying weakness is likely a shared input-validation routine or pattern reused across provisioning entry points rather than a single isolated bug. The affected CPE (cpe:2.3:a:google:android:*) and EUVD scope to Android 17 indicate the regression or weakness is tied to functionality introduced or modified in that platform release, fixed via the monthly Android Security Bulletin.

RemediationAI

Patch available per vendor advisory: apply the Android 17 Security Patch Level published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/android-17, and on managed fleets enforce the corresponding SPL via MDM compliance policy. Because vendor firmware delivery varies by OEM, confirm device-specific patched builds with the manufacturer (Pixel, Samsung, etc.) and block enrollment of devices below the fixed SPL. As a compensating control until devices receive the patch, restrict installation of untrusted apps (Play Protect enforcement, disabling sideloading via MDM), and on enterprise deployments tighten work-profile provisioning policies - accepting the trade-off that stricter app-install policies reduce user flexibility and may break legitimate sideload workflows. See also https://vuldb.com/vuln/371848 for the third-party advisory tracker entry.

Share

EUVD-2025-210216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy