Google Android vulnerabilities

CVE-2025-20722 [MEDIUM] CWE-190 CVE-2025-20722: In gnss driver, there is a possible out of bounds read due to an integer overflow. This could lead t In gnss driver, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09920036; Issue ID: MSV-3798.

CVE-2025-32318 [HIGH] CWE-122 CVE-2025-32318: In Skia, there is a possible out of bounds write due to a heap buffer overflow. This could lead to r In Skia, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-32320 [HIGH] CWE-441 CVE-2025-32320: In System UI, there is a possible way to view other users' images due to a confused deputy. This cou In System UI, there is a possible way to view other users' images due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-32316 [MEDIUM] CWE-787 CVE-2025-32316: In gralloc4, there is a possible out of bounds write due to a missing bounds check. This could lead In gralloc4, there is a possible out of bounds write due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-32317 [MEDIUM] CWE-441 CVE-2025-32317: In App Widget, there is a possible Information Disclosure due to a confused deputy. This could lead In App Widget, there is a possible Information Disclosure due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-26434 [MEDIUM] CWE-120 CVE-2025-26434: In libxml2, there is a possible out of bounds read due to a buffer overflow. This could lead to loca In libxml2, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2024-0028 [MEDIUM] CWE-862 CVE-2024-0028: In Audio Service, there is a possible way to obtain MAC addresses of nearby Bluetooth devices due to In Audio Service, there is a possible way to obtain MAC addresses of nearby Bluetooth devices due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-26461 [LOW] CWE-703 CVE-2025-26461: In Permission Manager, there is a possible way for the microphone privacy indicator to remain activa In Permission Manager, there is a possible way for the microphone privacy indicator to remain activated even after the user attempts to close the app due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-36904 [CRITICAL] CWE-269 CVE-2025-36904: WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-39645 WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-396458384.

CVE-2025-36896 [CRITICAL] CWE-269 CVE-2025-36896: WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-39476 WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-394765106.

CVE-2025-36897 [CRITICAL] CWE-787 CVE-2025-36897: In unknown of cd_CnMsgCodecUserApi.cpp, there is a possible out of bounds write due to a missing bou In unknown of cd_CnMsgCodecUserApi.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48531 [HIGH] CWE-693 CVE-2025-48531: In getCallingPackageName of CredentialStorage, there is a possible permission bypass due to a logic In getCallingPackageName of CredentialStorage, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-32332 [HIGH] CWE-416 CVE-2025-32332: In multiple locations, there is a possible memory corruption due to a use after free. This could lea In multiple locations, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-32326 [HIGH] CWE-441 CVE-2025-32326: In multiple functions of AppRestrictionsFragment.java, there is a possible way to bypass intent secu In multiple functions of AppRestrictionsFragment.java, there is a possible way to bypass intent security check due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2025-26436 [HIGH] CWE-863 CVE-2025-26436: In clearAllowBgActivityStarts of PendingIntentRecord.java, there is a possible way for an applicatio In clearAllowBgActivityStarts of PendingIntentRecord.java, there is a possible way for an application to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-26435 [HIGH] CWE-269 CVE-2025-26435: In updateState of ContentProtectionTogglePreferenceController.java, there is a possible way for a se In updateState of ContentProtectionTogglePreferenceController.java, there is a possible way for a secondary user to disable the primary user's deceptive app scanning setting due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-36901 [HIGH] CWE-269 CVE-2025-36901: WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-39646 WLAN in Android before 2025-09-05 on Google Pixel devices allows elevation of privilege, aka A-396462223.

CVE-2025-32350 [HIGH] CWE-1021 CVE-2025-32350: In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsS In maybeShowDialog of ControlsSettingsDialogManager.kt, there is a possible overlay of the ControlsSettingsDialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-26443 [HIGH] CWE-693 CVE-2025-26443: In parseHtml of HtmlToSpannedParser.java, there is a possible way to install apps without allowing i In parseHtml of HtmlToSpannedParser.java, there is a possible way to install apps without allowing installation from unknown sources due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2025-48548 [HIGH] CWE-362 CVE-2025-48548: In multiple functions of AppOpsControllerImpl.java, there is a possible way to record audio without In multiple functions of AppOpsControllerImpl.java, there is a possible way to record audio without displaying the privacy indicator due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.