Android Passkey Escalation via Missing Permission Check
CVE-2025-48640 Published on June 17, 2026

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

NVD

Vulnerability Analysis

Attack Vector:

ADJACENT_NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-48640 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2025-48640

Want to know whenever a new CVE is published for Google Android? stack.watch will email you.

Google Android

Affected Versions

Google Android Version 17 is affected by CVE-2025-48640

Exploit Probability

EPSS

0.12%

Percentile

2.04%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Android Passkey Escalation via Missing Permission CheckCVE-2025-48640 Published on June 17, 2026

Vulnerability Analysis

Weakness Type

What is an AuthZ Vulnerability?

Products Associated with CVE-2025-48640

Affected Versions

Exploit Probability

Android Passkey Escalation via Missing Permission Check
CVE-2025-48640 Published on June 17, 2026