CVE-2025-48649 - Vulnerability Details

Description

In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-06-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A permissions bypass (CWE‑285) that allows an attacker to reset user‑selected permission configuration in several locations permits elevation of privileges from a regular user to a higher level without requiring any additional execution privileges (CWE‑693). This flaw represents a local privilege escalation (CWE‑862), giving the attacker broader control over device functions and data. No user interaction is necessary for exploitation, making it highly convenient for an adversary already present on the device.

Affected Systems

The vulnerability affects Android devices produced or maintained by Google. Specific model or OS version information is not provided in the advisory, so all Android releases that contain the affected code paths should be considered at risk until a patch is applied.

Risk and Exploitability

The flaw has a CVSS score of 7.8 and is classified in the advisory as a local privilege escalation. Because the exploit does not require user interaction or elevated execution rights, it can be performed by any local attacker with access to the device. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, but the low EPSS score indicates a very low probability of exploitation at present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Android security patch referenced in the official security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01
If a patch is not yet available, limit user permissions for apps that may be affected by resetting permissions, or disable any settings that allow permission alterations via device settings dialogs
Monitor device logs for anomalous permission changes and investigate any unexpected elevation of privileges
Follow Android best practices for securing device access, such as enabling a strong device lock and restricting local physical access to the device

Generated by OpenCVE AI on June 2, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-06-01

History

Tue, 02 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Title	Android Permission Reset Bypass Allowing Local Privilege Escalation
Weaknesses	CWE-285 CWE-862

Tue, 02 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-693
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Mon, 01 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Android Permission Reset Bypass Allowing Local Privilege Escalation
Weaknesses		CWE-285 CWE-862

Mon, 01 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/docs/security/bulletin/2026/2026-06-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-06-01T21:14:50.748Z

Updated: 2026-06-02T13:27:56.465Z

Reserved: 2025-05-22T18:12:46.995Z

Link: CVE-2025-48649

Vulnrichment

Updated: 2026-06-02T13:27:35.697Z

NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:18.947

Modified: 2026-06-02T14:16:34.047

Link: CVE-2025-48649

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T17:15:19Z

Weaknesses

CWE-693

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object