CVE-2025-48572
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-09
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | android_framework | 14 |
| android | android_framework | 13 |
| android | android_framework | 15 |
| android | android_framework | 16 |
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Apply the security patch level 2025-12-05 or later as provided in the December 2025 Android Security Bulletin. This patch addresses CVE-2025-48572 by updating the Android Framework to prevent privilege escalation through improved permission handling in media button event broadcasts. [1]
Can you explain this vulnerability to me?
This vulnerability involves a permissions bypass that allows launching activities from the background in multiple locations. It enables a local escalation of privilege without requiring any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to escalate their privileges locally without needing extra permissions or user interaction, potentially leading to unauthorized actions or access on the affected device.