CVE-2025-48591
📋 TL;DR
This CVE-2025-48591 vulnerability allows local attackers to read files from other users on Android devices without requiring any permissions or user interaction. It affects Android systems where multiple user accounts exist on the same device. The vulnerability enables information disclosure through missing permission checks in multiple framework components.
💻 Affected Systems
- Android OS
📦 What is this software?
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could read sensitive files from other user accounts including personal documents, authentication tokens, app data, and configuration files, potentially leading to account compromise or privacy violations.
Likely Case
Malicious apps or users could access limited cross-user data, potentially exposing some personal information or app-specific data from other accounts on shared devices.
If Mitigated
With proper Android security updates and user account separation, the risk is limited to devices with multiple untrusted users sharing physical access.
🎯 Exploit Status
Exploitation requires local access to the device but no special permissions. The vulnerability is in the Android framework and MMS services components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Update December 2025
Vendor Advisory: https://source.android.com/security/bulletin/2025-12-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Apply the December 2025 security update. 3. Restart the device after installation.
🔧 Temporary Workarounds
Disable multiple user accounts
androidRemove additional user accounts to eliminate cross-user file access vectors
Settings > System > Multiple users > Remove additional users
Restrict app permissions
androidReview and restrict file access permissions for untrusted applications
Settings > Apps > [App Name] > Permissions > Files and media > Don't allow
🧯 If You Can't Patch
- Isolate devices with sensitive data to single-user mode only
- Implement device access controls and physical security measures
🔍 How to Verify
Check if Vulnerable:
Check Android version and security patch level in Settings > About phone > Android versionCheck Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows 'December 1, 2025' or later in Settings > About phone📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns across user boundaries in Android system logs
- Permission denial errors for cross-user file operations
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
android_logs:event_type="file_access" AND src_user!=dst_user AND result="success"