Login Sign Up

CVE-2025-32312

7.8 HIGH
Deserialization

📋 TL;DR

This vulnerability allows local privilege escalation on Android devices by bypassing lazy bundle hardening through unsafe deserialization in PackageParser. Attackers can pass modified data between processes without user interaction. All Android devices running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Android OS
Versions: Android versions prior to June 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: All Android devices running vulnerable versions are affected regardless of configuration.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to execute arbitrary code with elevated privileges, potentially gaining persistent access and control over the device.

🟠

Likely Case

Local privilege escalation allowing malicious apps to gain higher permissions than intended, potentially accessing sensitive data or system functions.

🟢

If Mitigated

Limited impact if proper Android security updates are applied and device is not rooted or running untrusted apps.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with physical access can exploit this without additional privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of Android internals, but no user interaction is needed once malicious code is present.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2025 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-06-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System Update. 2. Install the June 2025 security patch or later. 3. Restart the device after installation.

🔧 Temporary Workarounds

Restrict app installations

android

Only install apps from trusted sources like Google Play Store and disable unknown sources installation.

Settings > Security > Install unknown apps > Disable for all apps

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app whitelisting policies and monitor for suspicious app behavior

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Security patch level. If before June 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows 'June 5, 2025' or later date in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PackageParser activity
  • Suspicious intent parsing errors
  • Unexpected process privilege changes

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable - primarily local device logs would need monitoring

📊 Metadata

CVE ID: CVE-2025-32312
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
EPSS Score: 0.08% exploit probability (22.5th percentile)
Published: September 4, 2025
Last Updated: September 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32312, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)