Description
In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-04-06
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Update
AI Analysis

Impact

The KMKeymasterApplet implementation in Android contains an input validation flaw in its importWrappedKey routine. An attacker able to supply crafted data to this method can retrieve cryptographic keys that were intended to remain inaccessible. The vulnerability does not require elevated privileges or any user interaction, meaning a local adversary or malicious application can exploit it directly on the device. While the compromise remains limited to key material, the disclosure can enable the attacker to decrypt stored data or impersonate the device.

Affected Systems

Android devices whose operating system contains the unpatched KMKeymasterApplet are affected. No specific OS releases are enumerated in the advisory, implying that all versions lacking the fix remain vulnerable until an over‑the‑air update or manual patch is applied by Google.

Risk and Exploitability

The CVSS vector indicates low severity with a score of 4.0, and the EPSS value is below 1 %, suggesting a very low likelihood of exploitation. The vulnerability is absent from the CISA keV catalog, indicating no known active exploitation. A local attacker or any code executing on the device can trigger the flaw, but remote exploitation or privilege escalation is not supported by the description.

Generated by OpenCVE AI on April 13, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch or complete OTA update from Google
  • If no update is available, restrict execution of applications that may interact with the keymaster service until a fix is released
  • Verify that no rogue or unsigned applications are installed that could abuse the keymaster

Generated by OpenCVE AI on April 13, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Local Key Disclosure via Improper Input Validation in Android Keymaster Applet
Weaknesses CWE-20
CWE-200

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Improper Input Validation in Android Keymaster Applet
Weaknesses CWE-20
CWE-200

Fri, 10 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Improper Input Validation in Android Keymaster Applet
Weaknesses CWE-20
CWE-200

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title StrongBox Key Management Vulnerability
Weaknesses CWE-200
CWE-285

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description StrongBox in Android before security patch level 2026-04-05 has a vulnerability of High Severity, aka A-434039170, A-467765081, A-467765894, and A-467762899. In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title StrongBox Key Management Vulnerability
Weaknesses CWE-200
CWE-285

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description StrongBox in Android before security patch level 2026-04-05 has a vulnerability of High Severity, aka A-434039170, A-467765081, A-467765894, and A-467762899.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-04-13T20:16:29.740Z

Reserved: 2025-05-22T18:12:46.995Z

Link: CVE-2025-48651

cve-icon Vulnrichment

Updated: 2026-04-13T20:16:01.809Z

cve-icon NVD

Status : Modified

Published: 2026-04-06T19:16:25.867

Modified: 2026-04-13T21:16:23.373

Link: CVE-2025-48651

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:11Z

Weaknesses