CVE-2025-48526
📋 TL;DR
This vulnerability allows an Android app to launch the ChooserActivity in another user profile without proper authorization due to improper input validation. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affected systems are Android devices with multiple user profiles enabled.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain access to sensitive data or functionality in another user profile, potentially compromising user isolation and data separation between profiles.
Likely Case
Malicious apps could bypass profile isolation to access or manipulate data in other user profiles on the same device.
If Mitigated
With proper Android security updates and app sandboxing, the impact is limited to profile boundary violations rather than full system compromise.
🎯 Exploit Status
Exploitation requires a malicious app to be installed on the target device. No user interaction is needed once the app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android September 2025 security update or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-09-01
Restart Required: No
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install the September 2025 security update or later. 3. Verify the update was successful by checking the Android security patch level.
🔧 Temporary Workarounds
Disable multiple user profiles
androidDisable the multiple user profiles feature to prevent exploitation of this vulnerability
Restrict app installations
androidOnly install apps from trusted sources like Google Play Store and avoid sideloading unknown apps
🧯 If You Can't Patch
- Monitor for suspicious app behavior crossing profile boundaries
- Implement strict app installation policies and review installed apps regularly
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If patch level is before September 2025, the device is vulnerable.Check Version:
Settings > About phone > Android version > Security patch levelVerify Fix Applied:
Verify the Android security patch level shows September 2025 or later in Settings > About phone > Android version.📡 Detection & Monitoring
Log Indicators:
- Unusual ChooserActivity launches across different user profiles
- Intent resolution attempts crossing profile boundaries
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Look for Android system logs showing ChooserActivity launches with cross-profile intent flags or unusual profile switching patterns