High

Confused deputy privilege escalation in Android 16 System UI

IdentifiersCVE-2025-32320CWE-441· Unintended Proxy or Intermediary…

CVE-2025-32320 is a high-severity local elevation-of-privilege vulnerability in Android 16 affecting the System UI component. According to the provided content, the issue is a confused deputy flaw in System UI media handling in which the component does not correctly validate the requesting user context when processing image access requests. As a result, System UI can be induced to act on behalf of an unauthorized local user or app and expose images belonging to other user profiles on the same device. The vulnerability breaks Android's intended multi-user isolation model on shared devices. The available content does not identify a specific vulnerable function or code path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker to bypass user/profile isolation and view images belonging to other users on the same Android device. This constitutes local privilege escalation and unauthorized access to sensitive user data. The primary impact described in the provided content is cross-user data exposure rather than arbitrary code execution. No user interaction is required, which increases exploitability for a malicious local application already present on the device.

Mitigation

If you can’t patch tonight, do this now.

Until patches are deployed, reduce exposure by limiting use of affected shared or multi-user Android 16 devices, restricting installation of untrusted local applications, and enforcing application allowlisting or enterprise mobile device management controls where available. Because exploitation is local and requires no user interaction, minimizing the ability of untrusted apps to execute on the device is the most relevant interim mitigation. The content also notes that Android platform protections and Google Play Protect reduce the likelihood of successful exploitation, though they are not a substitute for patching.

Remediation

Patch, then assume compromise.

Apply the Android security update that fixes CVE-2025-32320. The provided content states that Android 16 devices before security patch level 2025-09-05 are vulnerable, so updating to security patch level 2025-09-05 or later remediates the issue. In operational terms, deploy the relevant Google/OEM security bulletin update across affected Android 16 devices and ensure downstream manufacturer and carrier images incorporate the fix.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

zeropath blogNews

Sep 5, 2025

Android System UI CVE-2025-32320: Brief Summary of a Confused Deputy Privilege Escalation Vulnerability - ZeroPath Blog | ZeroPath

A confused deputy vulnerability in Android 16 System UI that allows a local attacker or malicious app to access images from other user profiles on the same shared device, bypassing Android multi-user isolation and enabling local privilege escalation without user interaction.

zeropath blogNews

Sep 5, 2025

Android Skia Heap Buffer Overflow (CVE-2025-32318): Brief Summary and Patch Guidance - ZeroPath Blog | ZeroPath

An elevation of privilege vulnerability in the Android Framework component addressed in the Android 16 release.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-32320

NVD

nvd.nist.gov/vuln/detail/CVE-2025-32320

MITRE CWE · CWE-441

Unintended Proxy or Intermediary ('Confused…

Vendor Advisory

source.android.com/security/bulletin/android-16