Android Framework and Telecomm URI Double Encoding Information Disclosure Vulnerability
Vulnerability
A vulnerability exists in the Android Framework and Telecomm services due to URI double encoding, which may allow access to content across different user profiles. This issue could lead to local information disclosure without requiring additional execution privileges or user interaction. The vulnerability has been addressed in the Android Open Source Project (AOSP) and is included in the March 2025 security patch level.
Impact
Exploitation of this vulnerability could result in unauthorized access to information across user profiles, potentially leading to privacy violations.
Reproduction
The vulnerability can be reproduced by creating a URI that includes double encoding, such as a user ID followed by a percent sign. This improperly formatted URI can then be used in contexts where user profile information is accessed, such as in the Telecom service when registering a phone account.
Remediation
Users can update their devices to the March 2025 security patch level to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.