CVE-2025-22428
BaseFortify
Publication date: 2025-09-02
Last updated on: 2025-09-04
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the hasInteractAcrossUsersFullPermission method of AppInfoBase.java that allows an app on the primary user account to grant permissions to an app on a secondary user account. This can lead to a local escalation of privilege without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with access to the primary user account to escalate privileges on the device locally by granting permissions to apps on secondary user accounts. This could compromise the security and privacy of other users on the device without requiring further permissions or user interaction.