Cyber Resilience

CVE-2025-48634

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0000 0.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48634 is a high-severity Missing Authorization (CWE-862) vulnerability in Google Android. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-48634 is a vulnerability in the relayoutWindow function of WindowManagerService.java within Android, stemming from a missing permission check that enables a tapjack attack. This flaw, associated with CWE-862 (Missing Authorization), allows for local escalation of privilege without requiring additional execution privileges. The vulnerability received a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L) and was published on March 2, 2026.

A local attacker can exploit this issue with low complexity and no user interaction, leveraging the absence of permission checks to escalate privileges on the affected Android device. Successful exploitation grants high integrity impact, with low confidentiality and availability impacts, but no scope change.

The Android security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01 provides details on available patches to address this vulnerability.

EU & UK References

Vulnerability details

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing permission check enables local privilege escalation via tapjacking in Android WindowManager.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-48574Same product: Google Android
CVE-2026-0026Same product: Google Android
CVE-2025-48578Same product: Google Android
CVE-2024-40677Same product: Google Android
CVE-2018-9382Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2024-31328Same product: Google Android
CVE-2025-48645Same product: Google Android
CVE-2024-53841Same product: Google Android

Affected Assets

google
android
14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the missing permission check in relayoutWindow to enforce access before allowing window operations that enable tapjacking.

prevent

Limits privileges granted to processes calling WindowManagerService so a missing check cannot yield high-integrity escalation.

prevent

Requires a tamper-proof reference monitor to mediate all WindowManagerService decisions, catching the absent authorization logic.

References