CVE-2025-22441

HIGH

Android - Local Privilege Escalation via RemoteViews Confused Deputy

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-22441. PoCs published by michalbednarski.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-22441, focusing on how malicious `ApplicationInfo` objects in `RemoteViews` can manipulate cached APK paths in Android's `LoadedApk` class, potentially leading to resource or code path poisoning. The writeup includes root cause analysis, patch references, and code snippets demonstrating the vulnerability.

Description

In getContextForResourcesEnsuringCorrectCachedApkPaths of RemoteViews.java, there is a possible way to load arbitrary java code in a privileged context due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Exploits (1)

github WRITEUP 94 stars

by michalbednarski · javapoc

https://github.com/michalbednarski/ResourcePoison

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-22441, focusing on how malicious `ApplicationInfo` objects in `RemoteViews` can manipulate cached APK paths in Android's `LoadedApk` class, potentially leading to resource or code path poisoning. The writeup includes root cause analysis, patch references, and code snippets demonstrating the vulnerability.

Classification

Writeup 95%

Attack Type

Other

Complexity

Complex

Reliability

Theoretical

Target: Android Framework (versions affected by CVE-2025-22441)

No auth needed

Prerequisites: Ability to send crafted `RemoteViews` to a target process (e.g., via widgets, notifications, or autofill dialogs) · Target process must apply the `RemoteViews` with insufficient validation of `ApplicationInfo`

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1555 - Credentials from Password Stores

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://source.android.com/security/bulletin/2025-08-01

Scores

CVSS v3 7.3

EPSS 0.0010

EPSS Percentile 1.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-441

Status published

Products (3)

google/android 13.0

google/android 14.0

google/android 15.0

Published Sep 04, 2025

Tracked Since Feb 18, 2026