Primary

Context

Android Framework Cross-User Image Leak Vulnerability in Avatar Picker

Vulnerability

A vulnerability allowing cross-user image leaks has been identified in the Android Framework's avatar picker feature, specifically within the EditUserPhotoController.java file. This issue arises from a confused deputy problem, potentially leading to unauthorized local information disclosure. The vulnerability does not require additional execution privileges or user interaction for exploitation.

Impact

Exploitation of this vulnerability could result in unauthorized cross-user image leaks, allowing one user to access another user's images.

Remediation

Users can update their devices to the April 2025 security patch level to address this vulnerability.

Added: Sep 2, 2025, 11:29 PM

Updated: Sep 2, 2025, 11:29 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.4

threat

3.2

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Android Framework Cross-User Image Leak Vulnerability in Avatar Picker

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating