CVE-2025-26428
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the startLockTaskMode method of LockTaskController.java in the Android platform. It allows a possible lock screen bypass due to improper handling of lock states when a Task is already locked (pinned). Essentially, redundant app pinning requests are not properly prevented, which can lead to a physical escalation of privilege without needing additional execution privileges. Exploitation requires user interaction. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass the lock screen on an Android device, leading to physical escalation of privilege. This means someone with physical access to the device could potentially gain unauthorized access or control without needing extra execution privileges, compromising device security. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that modifies LockTaskController.java to prevent redundant app pinning requests when a Task is already locked. This update fixes the logic error causing the lock screen bypass and improves the stability and security of task locking mechanisms in Android. [1]