CVE-2025-26435 – This vulnerability allows a secondary user on a... (How to Fix)

Q: What is the severity of CVE-2025-26435?

CVE-2025-26435 has a CVSS score of 7.8 (HIGH). This vulnerability allows a secondary user on an Android device to disable the primary user's deceptive app scanning setting due to a logic error in the Settings app. This could enable local privilege escalation without requiring additional permissions or user interaction. Affected systems are Android devices with multiple user accounts.

📋 TL;DR

This vulnerability allows a secondary user on an Android device to disable the primary user's deceptive app scanning setting due to a logic error in the Settings app. This could enable local privilege escalation without requiring additional permissions or user interaction. Affected systems are Android devices with multiple user accounts.

💻 Affected Systems

Products:

Android Settings application

Versions: Android versions prior to the May 2025 security update

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with multiple user accounts enabled. Single-user devices are not vulnerable.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious secondary user could disable security protections for the primary user, potentially allowing installation of deceptive apps that compromise the primary user's data and device security.

🟠

Likely Case

Secondary users could disable security scanning for primary users, increasing risk of malware installation through deceptive apps.

🟢

If Mitigated

With proper user account separation and monitoring, impact is limited to potential security setting changes rather than direct data compromise.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring physical or remote access to the device.

🏢 Internal Only: HIGH - Exploitation requires access to a secondary user account on the device, making it a significant risk in shared device scenarios.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to a secondary user account but no special permissions. The vulnerability is in the Settings UI logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Update May 2025

Vendor Advisory: https://source.android.com/security/bulletin/2025-05-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the May 2025 security update. 3. Restart the device after installation.

🔧 Temporary Workarounds

Disable secondary user accounts

android

Remove or disable secondary user accounts to eliminate the attack vector

Settings > System > Multiple users > Remove secondary users

🧯 If You Can't Patch

Disable multiple user accounts feature on affected devices
Monitor Settings app changes and restrict secondary user permissions

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If before May 2025 security update and multiple users enabled, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android Security Patch Level shows 'May 5, 2025' or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

Settings app modifications to deceptive app scanning by secondary users
Unexpected changes to security settings

Network Indicators:

None - this is a local vulnerability

SIEM Query:

android.security.settings.changed user_type="secondary" setting="deceptive_app_scanning"

📊 Metadata

CVE ID: CVE-2025-26435

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

EPSS Score: 0.01% exploit probability (0.7th percentile)

Published: September 4, 2025

Last Updated: September 29, 2025

🔗 References

https://android.googlesource.com/platform/packages/apps/Settings/+/9dc0dd2c50ceb30ca5062ff3a02e48a8b4165863 Patch,Product
https://source.android.com/security/bulletin/2025-05-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26435, you might also want to check these: