CVE-2025-48651
Description
In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Android's Keymaster applet allows local disclosure of restricted keys without additional privileges.
Vulnerability
Overview
CVE-2025-48651 is a medium-severity vulnerability in the Android Keymaster applet. The issue resides in the importWrappedKey method of KMKeymasterApplet.java, where improper input validation allows an attacker to access keys that should be restricted [1]. This is a local information disclosure vulnerability.
Exploitation
Exploitation requires local access to the device, such as through a malicious application. No additional execution privileges are needed, and user interaction is not required. The attacker can leverage the improper validation to bypass key restrictions.
Impact
Successful exploitation could lead to disclosure of sensitive cryptographic keys, potentially compromising data protected by those keys.
Mitigation
The Android Security Bulletin for April 2026 includes a fix for this issue. Devices with a security patch level of 2026-04-05 or later are protected [1]. Users are advised to apply the latest security updates.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- source.android.com/docs/security/bulletin/2026/2026-04-01nvdVendor Advisory
News mentions
0No linked articles in our index yet.