CVE-2025-48632

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

I

n setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

Link	Resource
https://android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147	Patch Product
https://source.android.com/security/bulletin/2025-12-01	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:::::::*

History

08 Dec 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-08 17:16

Updated : 2025-12-08 20:15

NVD link : CVE-2025-48632

Mitre link : CVE-2025-48632

CVE.ORG link : CVE-2025-48632

JSON object : View

Products Affected

android

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2025-48632", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-12-08T17:16:19.487", "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147", "tags": ["Patch", "Product"], "source": "[email protected]"}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "lastModified": "2025-12-08T20:15:51.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}