Google Android vulnerabilities

CVE-2025-48623 [HIGH] CWE-787 CVE-2025-48623: In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input valid In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48606 [HIGH] CVE-2025-48606: In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48588 [HIGH] CVE-2025-48588: In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic err In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48620 [HIGH] CVE-2025-48620: In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third In onSomePackagesChanged of VoiceInteractionManagerService.java, there is a possible way for a third party application's component name to persist even after uninstalling due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48597 [HIGH] CWE-1021 CVE-2025-48597: In multiple locations, there is a possible way to trick a user into accepting a permission due to a In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48592 [HIGH] CWE-125 CVE-2025-48592: In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer ov In initDecoder of C2SoftDav1dDec.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48525 [HIGH] CWE-20 CVE-2025-48525: In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue read In disassociate of DisassociationProcessor.java, there is a possible way for an app to continue reading notifications when not associated to a companion device due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48589 [HIGH] CVE-2025-48589: In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissio In multiple functions of HeaderPrivacyIconsController.kt, there is a possible way to grand permissions across user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48615 [HIGH] CWE-770 CVE-2025-48615: In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due In getComponentName of MediaButtonReceiverHolder.java, there is a possible desync in persistence due to resource exhaustion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48612 [HIGH] CWE-20 CVE-2025-48612: In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set t In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48638 [HIGH] CWE-787 CVE-2025-48638: In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input val In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48599 [HIGH] CWE-862 CVE-2025-48599: In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device confi In multiple functions of WifiScanModeActivity.java, there is a possible way to bypass a device config restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48564 [HIGH] CWE-362 CVE-2025-48564: In multiple locations, there is a possible intent filter bypass due to a race condition. This could In multiple locations, there is a possible intent filter bypass due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48596 [HIGH] CWE-125 CVE-2025-48596: In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. T In appendFrom of Parcel.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48627 [HIGH] CVE-2025-48627: In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch a In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48565 [HIGH] CVE-2025-48565: In multiple locations, there is a possible way to bypass the cross profile intent filter due to a lo In multiple locations, there is a possible way to bypass the cross profile intent filter due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48583 [HIGH] CVE-2025-48583: In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a In multiple functions of BaseBundle.java, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48575 [HIGH] CWE-862 CVE-2025-48575: In multiple functions of CertInstaller.java, there is a possible way to install certificates due to In multiple functions of CertInstaller.java, there is a possible way to install certificates due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48566 [HIGH] CWE-20 CVE-2025-48566: In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent d In multiple locations, there is a possible bypass of user profile boundary with a forwarded intent due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48580 [HIGH] CVE-2025-48580: In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission w In connectInternal of MediaBrowser.java, there is a possible way to access while in use permission while the app is in background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.