Login Sign Up

CVE-2025-26426

5.1 MEDIUM

📋 TL;DR

This vulnerability in Android's BroadcastController allows malicious apps to intercept system broadcasts intended only for the Android framework due to improper input validation. This could lead to local privilege escalation without requiring user interaction. All Android devices running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to the May 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All Android devices with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains elevated system privileges, potentially accessing sensitive data, modifying system settings, or installing persistent malware.

🟠

Likely Case

Malicious apps intercept sensitive system broadcasts to gather information about device state, user activity, or other apps' behavior.

🟢

If Mitigated

With proper app sandboxing and security controls, impact is limited to information disclosure within the malicious app's context.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring app installation.
🏢 Internal Only: MEDIUM - Malicious apps could exploit this to escalate privileges and access sensitive data on the device.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires a malicious app to be installed on the device. No user interaction needed for exploitation once installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Patch Level May 2025 or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-05-01

Restart Required: No

Instructions:

1. Check for system updates in Settings > System > System update. 2. Install the May 2025 Android security patch or later. 3. Verify the patch level in Settings > About phone > Android version.

🔧 Temporary Workarounds

Restrict app installations

all

Only install apps from trusted sources like Google Play Store and avoid sideloading unknown apps.

🧯 If You Can't Patch

  • Implement mobile device management (MDM) to control app installations and monitor for suspicious behavior.
  • Use application allowlisting to restrict which apps can run on the device.

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If patch level is before May 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows May 2025 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

  • Unusual broadcast interception patterns in system logs
  • Apps attempting to register for system-only broadcasts

Network Indicators:

  • Not applicable - this is a local vulnerability

SIEM Query:

Not applicable for typical SIEM monitoring as this is a local Android vulnerability

📊 Metadata

CVE ID: CVE-2025-26426
CVSS v3 Score: 5.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-20
EPSS Score: 0.01% exploit probability (1.8th percentile)
Published: September 4, 2025
Last Updated: September 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26426, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2020-12388 10.0

This vulnerability allows attackers to escape Firefox's content process sandbox on Windows systems, ...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)