{"id":"ASB-A-417194323","details":"In markMediaAsFavorite of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.","aliases":["A-417194323","CVE-2025-48532"],"modified":"2026-04-17T15:55:28.020024Z","published":"2025-09-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2025-09-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/a6fcb52734f2a873453e88ef9b7c15b17830cfb3"}],"affected":[{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-next:0"},{"fixed":"16-next:2025-09-01"}]}],"versions":["16-next"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"line_hashes":["252467237340136988279874926805536911361","253027110189259596559905853865236399884","85409575546689225779695749749051855852","167352473503805189157533801705020808658","263787362848184322829973419760929088958","108997042772152483846418567372962664890","203938548697571390785922118549296355254","44024703630756868014403793716054939663","263564123353357711936019226571810626456","89473489775610647870201973825814343427","77913870065290780195162124223596822363","248878906267711249268907230952118503917","169226018121120260778948570119429334934"],"threshold":0.9},"target":{"file":"apex/framework/java/android/provider/MediaStore.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/17ebbe43efe36a7c00d3941513d5caf2db91f628","deprecated":false,"id":"ASB-A-417194323-8cdba2db","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"165032715199730005984207360571869477596","length":706},"target":{"function":"markIsFavoriteStatus","file":"apex/framework/java/android/provider/MediaStore.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/17ebbe43efe36a7c00d3941513d5caf2db91f628","deprecated":false,"id":"ASB-A-417194323-a3f90a88","signature_type":"Function"},{"signature_version":"v1","digest":{"line_hashes":["287053415934503746210121641122726621089","248632809506086505286347460092462376621","228908182433035183539043718054362720572","41345823875876889990534683757307626280","282973107282152908453498358170613132447","75792629446528253333747100928660503495","231482198345633451348096419630387567398","287864360694202462662613789119253088022"],"threshold":0.9},"target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/17ebbe43efe36a7c00d3941513d5caf2db91f628","deprecated":false,"id":"ASB-A-417194323-cb8bdae8","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"4601982513338105504949867162077823009","length":635},"target":{"function":"markMediaAsFavorite","file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/17ebbe43efe36a7c00d3941513d5caf2db91f628","deprecated":false,"id":"ASB-A-417194323-d3955d9c","signature_type":"Function"}],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/17ebbe43efe36a7c00d3941513d5caf2db91f628"],"types":["EoP"],"spl":"2025-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417194323.json"}},{"package":{"name":"platform/packages/providers/MediaProvider","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2025-09-01"}]}],"versions":["16"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"function_hash":"4601982513338105504949867162077823009","length":635},"target":{"function":"markMediaAsFavorite","file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/5914feb17e6cbe086e6afefa5b14b13e3f2dd869","deprecated":false,"id":"ASB-A-417194323-21ab55fa","signature_type":"Function"},{"signature_version":"v1","digest":{"line_hashes":["252467237340136988279874926805536911361","253027110189259596559905853865236399884","85409575546689225779695749749051855852","167352473503805189157533801705020808658","263787362848184322829973419760929088958","108997042772152483846418567372962664890","203938548697571390785922118549296355254","44024703630756868014403793716054939663","263564123353357711936019226571810626456","89473489775610647870201973825814343427","77913870065290780195162124223596822363","248878906267711249268907230952118503917","169226018121120260778948570119429334934"],"threshold":0.9},"target":{"file":"apex/framework/java/android/provider/MediaStore.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/5914feb17e6cbe086e6afefa5b14b13e3f2dd869","deprecated":false,"id":"ASB-A-417194323-49d48953","signature_type":"Line"},{"signature_version":"v1","digest":{"line_hashes":["287053415934503746210121641122726621089","248632809506086505286347460092462376621","228908182433035183539043718054362720572","41345823875876889990534683757307626280","282973107282152908453498358170613132447","75792629446528253333747100928660503495","231482198345633451348096419630387567398","287864360694202462662613789119253088022"],"threshold":0.9},"target":{"file":"src/com/android/providers/media/MediaProvider.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/5914feb17e6cbe086e6afefa5b14b13e3f2dd869","deprecated":false,"id":"ASB-A-417194323-b52561d3","signature_type":"Line"},{"signature_version":"v1","digest":{"function_hash":"165032715199730005984207360571869477596","length":706},"target":{"function":"markIsFavoriteStatus","file":"apex/framework/java/android/provider/MediaStore.java"},"source":"https://android.googlesource.com/platform/packages/providers/MediaProvider/+/5914feb17e6cbe086e6afefa5b14b13e3f2dd869","deprecated":false,"id":"ASB-A-417194323-cebea3ec","signature_type":"Function"}],"severity":"High","fixes":["https://android.googlesource.com/platform/packages/providers/MediaProvider/+/5914feb17e6cbe086e6afefa5b14b13e3f2dd869"],"types":["EoP"],"spl":"2025-09-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-417194323.json"}}],"schema_version":"1.7.5"}