Cyber Resilience

CVE-2025-22423

High

Published: 02 September 2025

Published
02 September 2025
Modified
04 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0130 80.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22423 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Android. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 19.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-22423 is a missing-bounds-check flaw in the ParseTag function of dng_ifd.cpp within the external/dng_sdk component used by Android for processing DNG-format images. The issue is tracked as CWE-125 and carries a CVSS 3.1 base score of 7.5, reflecting network-reachable denial-of-service impact without any confidentiality or integrity loss.

An unauthenticated remote attacker can supply a crafted DNG file that triggers the out-of-bounds read during tag parsing; because the renderer runs with no special privileges required and needs no user interaction, successful exploitation simply crashes the image-processing pipeline and produces a denial of service.

The Android Security Bulletin for April 2025 and the corresponding AOSP commit 748dbd7dfcecb19f3a19caaba4285e059f32d2dd address the vulnerability by adding the missing bounds validation; devices should be updated to a build that incorporates this change. EPSS remains flat at 0.0130 with no observed rise after disclosure.

EU & UK References

Vulnerability details

In ParseTag of dng_ifd.cpp, there is a possible way to crash the image renderer due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for…

more

exploitation.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
android
13.0, 14.0, 15.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References