CVE-2025-48633

CVE-2025-48633 is a logic error in the hasAccountsOnAnyUser function of DevicePolicyManagerService.java within the Android Open Source Project's platform/frameworks/base component. This flaw enables the addition of a Device Owner after device provisioning, resulting in a local escalation of privilege. Exploitation requires no additional execution privileges or user interaction. The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE information not yet detailed by NVD.

A local attacker with low privileges (PR:L) on an affected Android device can exploit this issue without additional attack complexity or user involvement. Successful exploitation allows the attacker to elevate privileges by installing a Device Owner, granting high confidentiality access (C:H) as reflected in the CVSS metrics, though without integrity or availability impact.

The Android Security Bulletin for December 2025-12-01 addresses this vulnerability and provides patch details. A specific code change fixing the issue is available in the commit at https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93. Mitigation involves applying the relevant Android updates, and the vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633, indicating real-world exploitation.