CVE-2025-48609
Published: 02 March 2026
Summary
CVE-2025-48609 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Google Android. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-48609 is a path traversal vulnerability affecting multiple functions in MmsProvider.java within the Android Open Source Project. The flaw enables arbitrary file deletion that disrupts telephony, SMS, and MMS functionalities due to improper path handling. No additional execution privileges are required, and user interaction is not needed for exploitation. It is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-400.
Attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction. Successful exploitation allows arbitrary deletion of files critical to telephony, SMS, and MMS services, resulting in a local denial of service with high impact on integrity and availability.
The Android security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01 details mitigation, including patches for affected Android versions published on 2026-03-02.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208209
Vulnerability details
In multiple functions of MmsProvider.java, there is a possible way to arbitrarily delete files which affect telephony, SMS, and MMS functionalities due to a path traversal error. This could lead to local denial of service with no additional execution privileges…
more
needed. User interaction is not needed for exploitation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file deletion, directly mapping to data destruction for DoS impact on critical services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of information inputs, directly preventing path traversal attacks in MmsProvider.java functions by ensuring proper path handling.
Mandates timely identification, reporting, and correction of flaws like this path traversal vulnerability, including application of patches from the Android security bulletin.
Enforces approved authorizations for logical access to files, providing defense-in-depth against unauthorized deletions enabled by path traversal.