CVE-2025-48651 - Vulnerability Details

Description

In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-04-06

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect lies in the importWrappedKey routine of Android’s KMKeymasterApplet. A flaw in input validation allows a local caller to supply malformed data that bypasses protection checks, exposing cryptographic keys that are meant to be restricted. This is a classic example of CWE‑20, Improper Input Validation, which leads to a confidentiality breach identified as CWE‑200, Information Exposure.

Affected Systems

The vulnerability affects all Android builds that ship with the affected keymaster component, as specific versions are not listed in the advisory. The flaw is present in the Google Android platform, so any device running the platform and allowing local code execution could be impacted. Users with physical or local access to the device could exploit this without additional privileges or user interaction.

Risk and Exploitability

The EPSS score is under 1 percent and the issue is not recorded in the CISA KEV catalog, implying a low probability of widespread exploitation at present. Nonetheless, because it does not require elevation or network access, a malicious local application could obtain sensitive keys at any time. Applying the latest vendor patches and monitoring for anomalous keymaster usage remain recommended mitigations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`Android SoC`	affected	—

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`Android SoC`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the device to the latest Android security patch that addresses the issue
Disable or uninstall applications that request unnecessary keymaster access
Enforce device ownership policies to limit local access to cryptographic keys
Log and audit keymaster usage, and investigate any unexpected key extraction attempts

Generated by OpenCVE AI on April 8, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-04-01

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
Title		Local Information Disclosure via Improper Input Validation in Android Keymaster Applet
Weaknesses		CWE-20 CWE-200

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title	StrongBox Key Management Vulnerability
Weaknesses	CWE-200 CWE-285

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	StrongBox in Android before security patch level 2026-04-05 has a vulnerability of High Severity, aka A-434039170, A-467765081, A-467765894, and A-467762899.	In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
References	https://source.android.com/security/bulletin/2026-04-01

Tue, 07 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title		StrongBox Key Management Vulnerability
Weaknesses		CWE-200 CWE-285

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		StrongBox in Android before security patch level 2026-04-05 has a vulnerability of High Severity, aka A-434039170, A-467765081, A-467765894, and A-467762899.
References		https://source.android.com/docs/security/bulletin/2026/2026-04-01 https://source.android.com/security/bulletin/2026-04-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-04-06T18:20:31.044Z

Updated: 2026-04-08T17:23:37.800Z

Reserved: 2025-05-22T18:12:46.995Z

Link: CVE-2025-48651

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-04-06T19:16:25.867

Modified: 2026-04-08T19:24:07.120

Link: CVE-2025-48651

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:28:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object