Cyber Posture

CVE-2025-48636

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48636 is a high-severity Path Traversal (CWE-22) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the path traversal vulnerability by requiring validation of file path inputs to the openFile method, preventing unauthorized file access.

AC-3 Access Enforcement good match
prevent

Enforces strict access controls in the BugreportContentProvider to block unauthorized reading and writing of files outside intended directories.

AC-6 Least Privilege partial match
prevent

Applies least privilege to limit the impact of local privilege escalation achieved through the path traversal exploit.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Path traversal enables direct local file read access (T1005) and results in privilege escalation without additional requirements (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In openFile of BugreportContentProvider.java, there is a possible way to read and write unauthorized files due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed…

more

for exploitation.

Deeper analysisAI

CVE-2025-48636 is a path traversal vulnerability (CWE-22) in the openFile method of BugreportContentProvider.java within Android Wear OS. Published on 2026-03-02, it enables unauthorized reading and writing of files, potentially leading to local escalation of privilege. No additional execution privileges or user interaction are required for exploitation, with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability due to its low attack complexity and lack of privilege requirements. By leveraging the path traversal flaw, the attacker gains the ability to read sensitive files and overwrite arbitrary ones, resulting in full local privilege escalation and high impacts on confidentiality, integrity, and availability.

The Android Wear OS security bulletin dated 2026-03-01 details patches and mitigation guidance at https://source.android.com/docs/security/bulletin/wear/2026/2026-03-01.

Details

CWE(s)
CWE-22

Affected Products

google
android
16.0

CVEs Like This One

CVE-2025-48567Same product: Google Android
CVE-2026-0010Same product: Google Android
CVE-2024-49742Same product: Google Android
CVE-2025-48578Same product: Google Android
CVE-2026-0118Same product: Google Android
CVE-2025-48619Same product: Google Android
CVE-2025-48613Same product: Google Android
CVE-2025-48646Same product: Google Android
CVE-2024-53834Same product: Google Android
CVE-2025-48645Same product: Google Android

References