CVE-2025-0086

Published: Aug 26, 2025Modified: Sep 2, 2025

6.2

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.5 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In onResult of AccountManagerService.java, there is a possible way to overwrite auth token due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected (5)

Products: Google: Android

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Google Android	Version 12.0
Google Android	Version 12.1
Google Android	Version 13.0
Google Android	Version 14.0
Google Android	Version 15.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://android.googlesource.com/platform/frameworks/base/+/c1aa9e662464b8fa49765d53a82efa8e06bb176a

Source: security@android.com

Product

https://source.android.com/security/bulletin/2025-03-01

Source: security@android.com

Vendor Advisory

Timeline

No history available yet.