High

Android Framework local privilege escalation in VoiceInteractionManagerService

IdentifiersCVE-2025-48620CWE-840

CVE-2025-48620 is an Android Framework elevation-of-privilege vulnerability in VoiceInteractionManagerService.java. According to the provided description, the flaw is in onSomePackagesChanged, where a logic error can allow a third-party application's component name to persist after the application has been uninstalled. This stale component state can then be abused to bypass intended package/component lifecycle handling and enable privilege escalation. The issue does not require user interaction and does not require additional execution privileges beyond those available to a local app on the device.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local attacker to escalate privileges from the context of a third-party application. Because the vulnerable state involves persistence of a component name after uninstall, the flaw may permit unauthorized association with privileged voice interaction functionality or related framework trust decisions, resulting in elevation of privilege within the Android Framework. No user interaction is required.

Mitigation

If you can’t patch tonight, do this now.

Until the security update is applied, mitigation options are limited because exploitation requires only local app execution and no user interaction. Reduce exposure by restricting installation of untrusted applications, enforcing application allow-listing in managed environments, and prioritizing deployment of the December 2025 Android security update or vendor-equivalent firmware. Enterprises should also ensure OEM/vendor images include the relevant Framework patch, not just the nominal patch level.

Remediation

Patch, then assume compromise.

Apply the Android security update that includes the fix for CVE-2025-48620, as provided in Google's December 2025 Android Security Bulletin. The supplied context indicates that devices updated to the 2025-12-05 security patch level are fully remediated for issues disclosed in that bulletin. OEM and downstream vendors should incorporate the corresponding Framework fix into supported Android 13–16 builds.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cyberthroneNews

Dec 2, 2025

Android Patch Update December 2025

Android Framework elevation-of-privilege vulnerability fixed in the December 2025 bulletin.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-48620

NVD

nvd.nist.gov/vuln/detail/CVE-2025-48620

MITRE CWE · CWE-840

cwe.mitre.org

Patch

android.googlesource.com/platform/frameworks/base/+/84dd2b90f4a2ea1ebc5b78f08f14c5a3b92c9c2d

Patch

android.googlesource.com/platform/frameworks/base/+/db86972777c84a386d8a6d2d34879923bdbccdf6

Vendor Advisory

source.android.com/security/bulletin/2025-12-01