CVE-2025-26425
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that includes the commit with hash 850ce9ea3ac72540ce310722633d9c893a32dfdd to your Android platform's Permission module. This patch adds necessary precondition checks in RoleService.java to prevent improper usage of methods that could lead to privilege escalation. Additionally, ensure your system is running an Android version that includes this fix or later, and verify security enforcement using the CTS role tests if possible. [1]
Can you explain this vulnerability to me?
This vulnerability is a permission squatting issue in multiple functions of RoleService.java in Android. Due to a logic error, certain methods related to managing default applications could be called improperly on Android versions where the permission android.permission.MANAGE_DEFAULT_APPLICATIONS was not defined with additional execution privileges. This flaw allows a local attacker to escalate their privileges without needing any user interaction. [1]
How can this vulnerability impact me? :
The vulnerability can lead to local escalation of privilege, meaning an attacker with local access to the device could gain higher permissions than intended. This could allow them to manipulate default application roles or perform actions normally restricted to privileged apps, potentially compromising device security and user data. [1]