{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-48651", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "state": "PUBLISHED", "assignerShortName": "google_android", "dateReserved": "2025-05-22T18:12:46.995Z", "datePublished": "2026-04-06T18:20:31.044Z", "dateUpdated": "2026-04-08T17:23:37.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-04-08T17:23:37.800Z"}, "datePublic": "2026-04-05T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Unknown"}]}], "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "Android SoC"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01", "tags": ["vendor-advisory"]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "id": "CVE-2025-48651", "lastModified": "2026-04-08T19:24:07.120", "metrics": {}, "published": "2026-04-06T19:16:25.867", "references": [{"source": "security@android.com", "url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "Android SoC"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-08T20:01:21.091004+00:00", "value": {"mitigation_remediation": ["Check for and install any Android security updates that address the StrongBox key management flaw", "If no update is available, review device security policies to limit use of the affected key store and apply access controls", "Monitor system logs for anomalous key access attempts and enforce least\u2011privilege principles for key handling", "Consult Google\u2019s Android security bulletin for additional guidance and future patch releases"], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Android devices managed by Google are affected; the flaw resides in the Keymaster component that handles StrongBox key management. No specific version range is listed, so any Android installation containing the impacted KeymasterApplet code is potentially vulnerable.", "description_and_impact": "The vulnerability lies in the importWrappedKey method of KMKeymasterApplet.java, where inadequate input validation allows an attacker to obtain keys that should be protected. This flaw can lead to the disclosure of sensitive cryptographic material without requiring the attacker to gain additional execution privileges or interact with the user. The weakness is categorized as Information Exposure (CWE\u2011200) and Improper Authorization (CWE\u2011285).", "risk_and_exploitability": "The EPSS score for this issue is less than 1%, indicating a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, and no CVSS score is provided. Because the attack requires local access to the device and no user interaction, a local attacker could read restricted keys if the device is compromised or physically accessed. The absence of a publicly available exploit and the low EPSS suggest that while the risk is limited to environments where the attacker has local presence, the impact on confidentiality remains significant."}}}}, "created": "2026-04-07T06:54:44.118402+00:00", "updated": "2026-04-08T20:02:27.751754+00:00", "vendors": ["google", "google$PRODUCT$android"]}