Cyber Resilience

CVE-2025-48611

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0019 9.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-48611 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Google Android. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-48611 is a vulnerability in the DeviceId component implemented in DeviceId.java, where a missing bounds check enables a desync in persistence. This issue, classified under CWE-120, affects Android Pixel devices and was published on 2026-03-10. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity with potential for high-impact effects across confidentiality, integrity, and availability.

The vulnerability enables local escalation of privilege without requiring additional execution privileges or user interaction. Given the CVSS vector's network attack vector (AV:N) and lack of privileges (PR:N), an unprivileged attacker could potentially trigger it remotely, achieving privilege escalation on the affected device with changed scope (S:C).

Mitigation details are provided in the Android Pixel security bulletin at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01.

EU & UK References

Vulnerability details

In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow (CWE-120) in DeviceId component directly enables privilege escalation on Android without user interaction or additional privileges.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28580Same product: Google Android
CVE-2026-0110Same product: Google Android
CVE-2018-9387Same product: Google Android
CVE-2024-47032Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2026-0028Same product: Google Android
CVE-2026-0117Same product: Google Android
CVE-2026-0032Same product: Google Android
CVE-2018-9382Same product: Google Android
CVE-2025-48578Same product: Google Android

Affected Assets

google
android
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation including bounds checks on inputs to the DeviceId component, directly preventing the desync in persistence due to the missing bounds check.

preventdetect

Implements memory protections that restrict unauthorized memory access and detect attempts, mitigating exploitation of the missing bounds check leading to privilege escalation.

prevent

Enforces process isolation to contain the impact of local privilege escalation resulting from the DeviceId persistence desync vulnerability.

References