CVE-2025-48536
HIGHDescription
In grantAllowlistedPackagePermissions of SettingsSliceProvider.java, there is a possible way for a third party app to modify secure settings due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Is your site exposed to CVE-2025-48536?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| android | |
| android | |
| android | |
| android |
References
Frequently Asked Questions
What is CVE-2025-48536? +
How severe is CVE-2025-48536? +
What products are affected by CVE-2025-48536? +
How do I check if I'm vulnerable to CVE-2025-48536? +
Related Vulnerabilities
An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform …
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface …
Conduit is a chat server powered by Matrix. A vulnerability that affects a number of Conduit-derived homeservers allows a remote, …
Kofax Capture, now referred to as Tungsten Capture, version 6.0.0.0 (other versions may be affected) exposes a deprecated .NET Remoting …
Misskey is an open source, federated social media platform. The patch for CVE-2024-52591 did not sufficiently validate the relation between …
Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting. Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be …