Android: CameraActivity Permission Bypass leads to Local Info Disclosure
CVE-2025-36889 Published on December 11, 2025

In onCreateTasks of CameraActivity.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

NVD

Vulnerability Analysis

CVE-2025-36889 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is a Confused Deputy Vulnerability?

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

CVE-2025-36889 has been classified to as a Confused Deputy vulnerability or weakness.


Products Associated with CVE-2025-36889

Want to know whenever a new CVE is published for Google Android? stack.watch will email you.

Google Android
 

Affected Versions

Google Android Version Android kernel is affected by CVE-2025-36889

Exploit Probability

EPSS
0.01%
Percentile
0.38%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.