CVE-2025-32312
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-05
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 15.0 | |
| android | 14.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Android PackageManager component, specifically in the PackageParser.java file. It allows unsafe deserialization that can bypass lazy bundle hardening, enabling modified data to be passed to the next process. This happens because the system unrestrictedly constructs subclasses, allowing potentially arbitrary classes to be instantiated during package parsing. This can lead to local escalation of privilege without needing additional execution privileges or user interaction. [1]
How can this vulnerability impact me? :
The vulnerability can lead to local escalation of privilege on an affected Android device. An attacker could exploit this flaw to gain higher privileges locally without requiring additional execution rights or user interaction, potentially allowing unauthorized actions or access within the system. [1]
What immediate steps should I take to mitigate this vulnerability?
Apply the security patch that restricts subclass construction in the PackageParser component of the Android framework. This patch prevents the creation of arbitrary classes during package parsing, mitigating the vulnerability. Ensure your Android system is updated with the fix committed on March 19, 2025, which addresses this issue. [1]