CVE-2025-32345
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-08
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 15.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the updateState method of ContentProtectionTogglePreferenceController.java, where a logic error allows a secondary user to disable the primary user's deceptive app scanning setting. This flaw can be exploited locally without needing additional execution privileges or user interaction, leading to an escalation of privileges.
How can this vulnerability impact me? :
The vulnerability can allow a secondary user on the device to disable security settings intended for the primary user, specifically the deceptive app scanning feature. This local escalation of privilege could reduce the device's protection against deceptive apps, potentially increasing the risk of malicious app activity without requiring further permissions or user actions.