CVE-2025-48630

High

Published: 02 March 2026

Published

02 March 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0000 0.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48630 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Google Android. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-30 Concealment and Misdirection

addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

SC-31 Covert Channel Analysis

addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Side-channel info disclosure in GPU cache directly enables local privilege escalation without privileges or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In drawLayersInternal of SkiaRenderEngine.cpp, there is a possible way to access the GPU cache due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

exploitation.

Deeper analysisAI

CVE-2025-48630 is a side-channel information disclosure vulnerability located in the drawLayersInternal function of SkiaRenderEngine.cpp. It enables unauthorized access to the GPU cache. This issue affects the Android platform, as evidenced by its inclusion in the Android security bulletin.

A local attacker can exploit this vulnerability without requiring additional execution privileges or user interaction. Exploitation involves high attack complexity due to the side-channel nature (CWE-208). Successful attacks lead to local escalation of privilege, with high impacts on confidentiality, integrity, and availability, as scored at 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Android security bulletin published on March 1, 2026, at https://source.android.com/docs/security/bulletin/2026/2026-03-01 details patches and mitigation guidance for this vulnerability.

Details

CWE(s): CWE-208

Affected Products

google

android

14.0, 15.0, 16.0

CVEs Like This One

CVE-2025-48574Same product: Google Android

CVE-2025-36920Same product: Google Android

CVE-2026-0011Same product: Google Android

CVE-2026-0020Same product: Google Android

CVE-2026-0117Same product: Google Android

CVE-2024-53833Same product: Google Android

CVE-2026-0010Same product: Google Android

CVE-2026-0037Same product: Google Android

CVE-2025-48577Same product: Google Android

CVE-2024-49742Same product: Google Android

References

https://source.android.com/docs/security/bulletin/2026/2026-03-01
security@android.com