Description
In VBMeta, there is a possible way to modify and resign VBMeta using a test key, assuming the original image was previously signed with the same key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Android’s VBMeta component, allowing a malicious party to modify and resign a device image with a test key that matches the key used to sign the original image. This flaw permits an attacker to gain elevated privileges on a device without any special execution rights or user interaction, potentially enabling the installation of unauthorized code or services. The weakness aligns with CWE‑269, improper restriction of excessive privileges.

Affected Systems

Android operating systems released by Google are affected. No specific versions are listed, so the issue likely applies to all builds that incorporate Git‑based VBMeta signing procedures. The vulnerability is present wherever the same signing key can be reused to validate VBMeta metadata.

Risk and Exploitability

The CVSS score of 7.8 indicates a medium‑to‑high severity. The EPSS score of less than 1% suggests exploitation is unlikely at present, and the vulnerability is not in the CISA KEV catalog. Exploitation requires a local attacker who can access the device and the test signing key, but does not need any user interaction. If an attacker can obtain the key, the attack vector is local and straightforward, making the vulnerability noteworthy for devices exposed to insider threats or where test keys are stored insecurely.

Generated by OpenCVE AI on April 22, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch or upgrade to the latest release that contains the VBMeta fix
  • Secure or remove any test signing keys from the device, ensuring they are stored only on trusted, encrypted media
  • Verify that all device images are signed with authorized production keys and validate signatures before deployment

Generated by OpenCVE AI on April 22, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In VBMeta, there is a possible way to modify and resign VBMeta using a test key, assuming the original image was previously signed with the same key. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-04-21T02:41:16.037Z

Reserved: 2025-05-22T18:12:23.625Z

Link: CVE-2025-48613

cve-icon Vulnrichment

Updated: 2026-03-03T15:23:51.126Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:27.160

Modified: 2026-03-06T04:15:58.850

Link: CVE-2025-48613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses