CVE-2025-26423
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the validateIpConfiguration method of WifiConfigurationUtil.java in Android. Due to a missing bounds check, it is possible to trigger a permanent denial of service (DoS). This flaw allows local escalation of privilege without needing any additional execution privileges or user interaction. Essentially, improper validation of IP configuration data can be exploited to disrupt the Wifi service. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a permanent denial of service on the affected device's Wifi service, potentially causing loss of network connectivity. Additionally, it allows a local attacker to escalate their privileges without requiring extra execution rights or user interaction, which could compromise device security and stability. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that fixes the vulnerability by updating the Android platform's Wifi module to include the size check for IP configuration data as implemented in the commit with hash 01e708a7a9af970b3aa40cdca2cbde71d07a859b. This patch addresses the issue in WifiConfigurationUtil.java and prevents the permanent DoS and privilege escalation by validating IP configuration size before processing. [1]