CVE-2025-48619
Logic Error in Android ContentProvider Allows Local Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 14.0 | |
| android | 15.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in multiple functions of ContentProvider.java where a logic error allows an app with only read-only access to truncate files. This means that even without write permissions, an app can shorten or cut off files due to the flawed code logic.
Exploitation does not require any additional execution privileges or user interaction, making it easier for malicious apps to misuse this flaw.
How can this vulnerability impact me? :
The vulnerability can lead to a local escalation of privilege, allowing an app with limited permissions to perform actions beyond its intended scope.
Specifically, an app with read-only access could truncate files, potentially causing data loss or corruption.
Since no user interaction or additional privileges are needed, this could be exploited silently, increasing the risk of unauthorized data manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know