Cyber Resilience

CVE-2025-48609

CriticalDDoS

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0026 17.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-48609 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Google Android. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-48609 is a path traversal vulnerability affecting multiple functions in MmsProvider.java within the Android Open Source Project. The flaw enables arbitrary file deletion that disrupts telephony, SMS, and MMS functionalities due to improper path handling. No additional execution privileges are required, and user interaction is not needed for exploitation. It is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-400.

Attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction. Successful exploitation allows arbitrary deletion of files critical to telephony, SMS, and MMS services, resulting in a local denial of service with high impact on integrity and availability.

The Android security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01 details mitigation, including patches for affected Android versions published on 2026-03-02.

EU & UK References

Vulnerability details

In multiple functions of MmsProvider.java, there is a possible way to arbitrarily delete files which affect telephony, SMS, and MMS functionalities due to a path traversal error. This could lead to local denial of service with no additional execution privileges…

more

needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Path traversal enables arbitrary file deletion, directly mapping to data destruction for DoS impact on critical services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-49749Same product: Google Android
CVE-2025-48646Same product: Google Android
CVE-2024-43077Same product: Google Android
CVE-2026-0106Same product: Google Android
CVE-2024-53840Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2024-49732Same product: Google Android
CVE-2025-48619Same product: Google Android
CVE-2024-49747Same product: Google Android
CVE-2024-49742Same product: Google Android

Affected Assets

google
android
14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs, directly preventing path traversal attacks in MmsProvider.java functions by ensuring proper path handling.

preventrecover

Mandates timely identification, reporting, and correction of flaws like this path traversal vulnerability, including application of patches from the Android security bulletin.

prevent

Enforces approved authorizations for logical access to files, providing defense-in-depth against unauthorized deletions enabled by path traversal.

References