CVE-2025-48538Improper Input Validation in Google Android

CWE-20Improper Input Validation4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 99.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Android
Timeline
PublishedSep 4

Description

In setApplicationHiddenSettingAsUser of PackageManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5google/android4 versions+3
NVDgoogle/android4 versions+3

Patches

Patch: android.googlesource.com

🔴Vulnerability Details

2
CVEList
CVE-2025-48538: In setApplicationHiddenSettingAsUser of PackageManagerService2025-09-04
GHSA
GHSA-2qmf-q38x-5h24: In setApplicationHiddenSettingAsUser of PackageManagerService2025-09-04

📋Vendor Advisories

1
Android
CVE-2025-48538: Android Security Bulletin 2025-09-01 CVE: CVE-2025-48538 Severity: HIGH Type: DoS Affected AOSP versions: 13, 14, 15, 16 References: A-3281820842025-09-01
CVE-2025-48538 — Improper Input Validation in Google | cvebase