CVE-2025-22425
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a permissions bypass in the Android platform's InstallStart.java file, specifically in the onCreate method. It occurs due to improper input validation, allowing a local user to escalate their privileges without needing additional execution privileges. Exploiting this vulnerability requires user interaction.
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to bypass permission checks and escalate their privileges on the affected Android device. This means an attacker with limited access could gain higher-level permissions, potentially leading to unauthorized actions or access to sensitive data. However, exploitation requires user interaction.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that fixes the vulnerability by updating the Android platform/frameworks/base component to include the commit identified by hash 942884abf148426e948774b4857052da77ef77b3. This commit removes an unnecessary null check in InstallStart.java and corrects the session-based install processing logic, preventing the permissions bypass. Ensuring your system includes this fix will mitigate the vulnerability. [1]