CVE-2025-48580
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-10
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Apply the security patch level 2025-12-05 or later as recommended in the December 2025 Android Security Bulletin. This patch includes fixes for CVE-2025-48580 and prevents unintended capability escalation in the MediaBrowser component by controlling capability propagation during media browsing sessions. [1, 2]
Can you explain this vulnerability to me?
This vulnerability is a logic error in the connectInternal method of MediaBrowser.java that allows an app to gain access to the 'while in use' permission even when running in the background. This means the app can escalate its privileges locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability can lead to local escalation of privilege, allowing an app to access permissions it should not have while running in the background. This could potentially be exploited to perform unauthorized actions on the device without the user's knowledge or consent.