CVE-2025-0087
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-689 | The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Android platform's UninstallerActivity.java where a missing permission check allows an app to uninstall another user's app without proper authorization. This flaw enables local escalation of privilege without needing additional execution privileges or user interaction, effectively allowing unauthorized uninstallation of apps across different user profiles. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker or malicious app on the same device to uninstall apps belonging to other users or profiles without permission. This could disrupt the functionality of those apps, potentially leading to loss of data or denial of service for other users on the device. It compromises the isolation between user profiles on Android devices. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the security update that includes the fix for CVE-2025-0087, which restricts app uninstallation permissions to enforce proper multi-user profile boundaries. Ensure your Android system is updated to a version that includes the patch merged in early January 2025. This will prevent unauthorized uninstallation of apps across user profiles. [1]