CVE-2025-48609

Published Mar 2, 2026

Last updated 2 months ago

CVSS critical 9.1

Overview

Description
In multiple functions of MmsProvider.java, there is a possible way to arbitrarily delete files which affect telephony, SMS, and MMS functionalities due to a path traversal error. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Source
security@android.com
NVD status
Modified
Products
android

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Severity
CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-400

Social media

Hype score
Not currently trending

  1. CVE-2025-48609 (CVSS:9.1, CRITICAL) is Modified. In multiple functions of https://t.co/zBhGzXRAfe, there is a possible way to arbitrarily delete files which affect telephony, S..https://t.co/yDT79wduEh #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    6 Mar 2026

    62 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-48609 (CVSS:9.1, CRITICAL) is Analyzed. In multiple functions of https://t.co/zBhGzXRAfe, there is a possible way to arbitrarily delete files which affect telephony, S..https://t.co/yDT79wduEh #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    5 Mar 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🔴 CVE-2025-48609 - Critical In multiple functions of https://t.co/lsWamEp5iD, there is a possible way to arbitrarily delete files which affect telephony, SMS, and MMS functionalities due to a path traversal error. This cou... https://t.co/9VD0IAiLfg https://t.co/KL82POkEsQ

    @TheHackerWire

    3 Mar 2026

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.CVE-2026-21012
  2. Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.CVE-2026-21011
  3. Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.CVE-2026-21010
  4. Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.CVE-2026-21009
  5. Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information.CVE-2026-21008

References

Sources include official advisories and independent security research.