CVE-2025-32313

High

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32313 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and timely correction of the specific out-of-bounds write flaw via patching.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like DEP and ASLR to prevent successful exploitation of the out-of-bounds write for privilege escalation.

SI-10 Information Input Validation partial match

prevent

Requires validation of information inputs including bounds checks to mitigate the incorrect bounds check causing the out-of-bounds write.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in Android system component directly enables local privilege escalation (T1068) with no auth or interaction required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2025-32313 is a vulnerability in the UsageEvents component of Android, specifically within UsageEvents.java, that enables a possible out-of-bounds write due to an incorrect bounds check. Classified under CWE-787 (Out-of-bounds Write), it was published on 2026-03-02 and carries a CVSS v3.1 base score of 8.4 (High), with the vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

A local attacker can exploit this vulnerability without requiring additional execution privileges or any user interaction. Exploitation results in local escalation of privilege, allowing the attacker to achieve high impacts on confidentiality, integrity, and availability.

The Android Security Bulletin provides details on mitigation and patches, available at https://source.android.com/docs/security/bulletin/2026/2026-03-01.

Details

CWE(s): CWE-787

Affected Products

google

android

14.0, 15.0, 16.0

CVEs Like This One

CVE-2026-0010Same product: Google Android

CVE-2024-53838Same product: Google Android

CVE-2026-0123Same product: Google Android

CVE-2024-53837Same product: Google Android

CVE-2026-0124Same product: Google Android

CVE-2024-49745Same product: Google Android

CVE-2026-0117Same product: Google Android

CVE-2026-0037Same product: Google Android

CVE-2024-49738Same product: Google Android

CVE-2024-53833Same product: Google Android

References

https://source.android.com/docs/security/bulletin/2026/2026-03-01
security@android.com