CVE-2025-32348 - Vulnerability Details

Description

In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-06-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Multiple Android components can start a background activity without performing a permission check. The flaw allows a user‑owned application to launch privileged background tasks that run with higher privileges than the originating app, potentially compromising device security. The vulnerability requires no special user interaction, enabling a local attacker to elevate privileges by simply initiating the background activity.

Affected Systems

The flaw affects devices running Google Android versions 14.0, 15.0, 16.0, and the Android QPR2 beta releases qpr2_beta_1 through qpr2_beta_3. Any installation running these OS versions prior to the fix is vulnerable.

Risk and Exploitability

The CVSS score is 7.8, indicating a high‑impact flaw. The EPSS score of less than 1% suggests exploitation is unlikely but possible. The vulnerability is not listed in the CISA KEV catalog. Because no user interaction is needed, a local attacker can exploit it at any time. The impact is limited to the device, with no outbound network traffic required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:-::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_1::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_2::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest Android security update as documented in the June 2026 security bulletin.
After updating, reboot the device to ensure all permission checks are enforced.
Periodically review device logs for unexpected background activity launches and investigate any anomalies through the Android monitoring tools.

Generated by OpenCVE AI on June 3, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-06-01

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Title	Android Background Activity Launch Privilege Escalation
Weaknesses	CWE-269 CWE-294	CWE-863

Tue, 02 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Title		Android Background Activity Launch Privilege Escalation
Weaknesses		CWE-269 CWE-294 NVD-CWE-noinfo
CPEs		cpe:2.3:o:google:android:14.0:::::::* cpe:2.3:o:google:android:15.0:::::::* cpe:2.3:o:google:android:16.0:-:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_1:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_2:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

Tue, 02 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Title	Background Activity Launch Missing Permission Check Allows Local Privilege Escalation
Weaknesses	CWE-285 CWE-668

Tue, 02 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Mon, 01 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Background Activity Launch Missing Permission Check Allows Local Privilege Escalation
Weaknesses		CWE-285 CWE-668

Mon, 01 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/docs/security/bulletin/2026/2026-06-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-06-01T21:14:49.512Z

Updated: 2026-06-03T03:55:28.961Z

Reserved: 2025-04-04T23:31:03.897Z

Link: CVE-2025-32348

Vulnrichment

Updated: 2026-06-02T13:34:53.561Z

NVD

Status : Modified

Published: 2026-06-01T22:16:17.720

Modified: 2026-06-02T22:16:16.120

Link: CVE-2025-32348

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T03:30:06Z

Weaknesses

CWE-863
Incorrect Authorization
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object