CVE-2025-48530

Name of the Vulnerable Software and Affected Versions Android versions prior to security patch level 2025-08-05 Android 16 versions prior to the August 2025 update Pixel 3a, S10, and OnePlus 7 (affected versions not specified)

Description A critical remote code execution (RCE) flaw exists in the Android operating system, specifically within the core System component. This flaw allows attackers to execute arbitrary code on a device without requiring any user interaction. The vulnerability is related to deficiencies in access control mechanisms. Exploitation may allow a remote attacker to execute code. The vulnerability is suspected to be exploited by state actors for surveillance purposes. The flaw impacts devices including Pixels, Samsung devices, and older models like the Pixel 3a, Samsung S10, and OnePlus 7. The vulnerability is present in the Avif parser/decoder, specifically involving out-of-bounds accesses related to YUV planes, alpha plane, Y plane, UV planes, chroma width calculation, plane size calculation, and row bytes.

Recommendations Android versions prior to security patch level 2025-08-05: Update to security patch level 2025-08-05 or later. Android 16 versions prior to the August 2025 update: Install the August 2025 Android update. Pixel 3a, S10, and OnePlus 7: Update to the latest available security patch for your device.