CRITICAL🇵🇱 Wersja polska

CVE-2025-48611

CVSS 10.0v3.1pub. 2026-03-10upd. 2026-03-30

In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

🤖 AI Analysis
How it works

In the DeviceId.java file, in the DeviceId method, range verification is missing during data operations. Omission of this check (CWE-120: buffer overflow) causes possible desynchronization in the data persistence mechanism. An attacker with local access to the device can exploit this irregularity without requiring user interaction or possession of elevated execution privileges.

Impact

An attacker can obtain local privilege escalation on a vulnerable Android device, potentially gaining control over system resources exceeding their original permission scope.

Mitigation & patch

Security patches available from the manufacturer should be applied in accordance with references — Pixel Security Bulletin published 2026-03-01 at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01

Who is affected

Google Android — versions indicated in manufacturer references (Pixel Security Bulletin from March 2026)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Google Android

    OS
    Google
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-16010CRITICAL9.6⚠ KEVten sam produkt

Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...

CVE-2016-1019CRITICAL9.8⚠ KEVten sam produkt

Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...

CVE-2026-13851CRITICAL9.1ten sam produkt

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...

CVE-2026-13852CRITICAL9.1ten sam produkt

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...

CVE-2026-14106CRITICAL9.6ten sam produkt

Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...