CVE-2025-48634
Published: 02 March 2026
Summary
CVE-2025-48634 is a high-severity Missing Authorization (CWE-862) vulnerability in Google Android. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing permission check enables local privilege escalation via tapjacking in Android WindowManager.
NVD Description
In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Deeper analysisAI
CVE-2025-48634 is a vulnerability in the relayoutWindow function of WindowManagerService.java within Android, stemming from a missing permission check that enables a tapjack attack. This flaw, associated with CWE-862 (Missing Authorization), allows for local escalation of privilege without requiring additional execution privileges. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and was published on March 2, 2026.
A local attacker can exploit this issue with low complexity and no user interaction, leveraging the absence of permission checks to escalate privileges on the affected Android device. Successful exploitation grants high integrity impact, with low confidentiality and availability impacts, but no scope change.
The Android security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01 provides details on available patches to address this vulnerability.
Details
- CWE(s)