7.8

CVE-2025-48573

In sendCommand of MediaSessionRecord.java, there is a possible way to launch the foreground service while the app is in the background due to FGS while-in-use abuse. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GoogleAndroid Version13.0
GoogleAndroid Version14.0
GoogleAndroid Version15.0
GoogleAndroid Version16.0 Update-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.08% 0.002
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-250 Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

https://source.android.com/security/bulletin/2025-12-01
Vendor Advisory
https://android.googlesource.com/platform/frameworks/base/+/039030a6b0e7d255af70609a3607e805ad2a99ff
Patch
Product