Cyber Resilience

CVE-2025-48630

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0000 0.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48630 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Google Android. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 PE-19 (Information Leakage) and SC-31 (Covert Channel Analysis).

Deeper analysis

CVE-2025-48630 is a side-channel information disclosure vulnerability located in the drawLayersInternal function of SkiaRenderEngine.cpp. It enables unauthorized access to the GPU cache. This issue affects the Android platform, as evidenced by its inclusion in the Android security bulletin.

A local attacker can exploit this vulnerability without requiring additional execution privileges or user interaction. Exploitation involves high attack complexity due to the side-channel nature (CWE-208). Successful attacks lead to local escalation of privilege, with high impacts on confidentiality, integrity, and availability, as scored at 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

The Android security bulletin published on March 1, 2026, at https://source.android.com/docs/security/bulletin/2026/2026-03-01 details patches and mitigation guidance for this vulnerability.

EU & UK References

Vulnerability details

In drawLayersInternal of SkiaRenderEngine.cpp, there is a possible way to access the GPU cache due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for…

more

exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Side-channel info disclosure in GPU cache directly enables local privilege escalation without privileges or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2026-0023Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2025-48647Same product: Google Android
CVE-2025-48646Same product: Google Android
CVE-2026-0026Same product: Google Android

Affected Assets

google
android
14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires analysis and mitigation of covert/side channels that could leak GPU cache contents, exactly matching the Skia drawLayersInternal flaw.

prevent

Mandates controls to stop information leakage from shared hardware resources such as the GPU cache exploited by this local side-channel attack.

prevent

Requires the system to prevent unintended information transfer through shared system resources, directly applicable to unauthorized GPU cache access.

References