CVE-2025-22425

MEDIUM

Google Android - Incorrect Default Permissions

Title source: rule

Description

In onCreate of InstallStart.java, there is a possible permissions bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

References (3)

[Patch] https://android.googlesource.com/platform/frameworks/base/+/8575592802b9527fe0f7cf19e9cb7159c9aa5121

[Patch] https://android.googlesource.com/platform/frameworks/base/+/942884abf148426e948774b4857052da77ef77b3

[Vendor Advisory] https://source.android.com/security/bulletin/2025-05-01

Scores

CVSS v3 5.1

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-276

Status published

Products (2)

google/android 13.0

google/android 14.0

Published Sep 04, 2025

Tracked Since Feb 18, 2026