Description
In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in CarrierConfigLoader.overrideConfig, where a permissions bypass allows an application to evade the UID verification. This flaw, an instance of insufficient privilege checks and improper access control (CWE-862), enables a local attacker to gain higher privileges without needing separate execution rights or user interaction. The flaw effectively changes the security context of a calling component, allowing it to perform privileged operations.

Affected Systems

Android devices that include the vulnerable CarrierConfigLoader component are affected. The specific Android releases are not enumerated in the data, so any device running an unpatched version of CarrierConfigLoader could be at risk.

Risk and Exploitability

The CVSS score of 7.8 and the EPSS score below 1% indicate a high‑severity flaw with currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. However, because the attack does not require user interaction and needs only local execution, the risk to individual devices is significant. An attacker with local access could exploit the flaw to elevate privileges and compromise system integrity. The attack vector is local; no remote exploitation is implied.

Generated by OpenCVE AI on June 18, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest Android version that contains the fix for the carrier configuration permissions issue.
  • Verify that any third‑party apps using carrier configuration APIs are updated and that they run under appropriate user identifiers.
  • Restrict or disable carrier configuration privileges for untrusted applications via device administration or app‑level permission management.

Generated by OpenCVE AI on June 18, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Carrier Configuration Permissions Bypass Leading to Local Privilege Escalation on Android

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Permission Bypass in CarrierConfigLoader Allows Local Privilege Escalation
Weaknesses CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Permission Bypass in CarrierConfigLoader Allows Local Privilege Escalation
Weaknesses CWE-285
CWE-862
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-18T03:55:47.661Z

Reserved: 2025-05-22T18:12:23.626Z

Link: CVE-2025-48617

cve-icon Vulnrichment

Updated: 2026-06-17T13:49:32.467Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses