CVE-2025-48611 PUBLISHED

Assigner: google_android
Reserved: 22.05.2025 Published: 10.03.2026 Updated: 11.03.2026

In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Google
Product	Android
Versions	Default: unaffected Version Android Kernel is affected

Credits

Canyie(石松洲) of LSPosed Team reporter

References

https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01