← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-48615 · CWE-770 · Disclosed 2025-12-08

In getComponentName of MediaButtonReceiverHolder

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a bad stair inside the building, not an unlocked front door

CVE-2025-48615 is an Android Framework flaw in MediaButtonReceiverHolder.java where getComponentName() could accept overlong component-name properties and end up with a persistence desynchronization tied to resource exhaustion. Google’s patch adds a MAX_COMPONENT_NAME_LENGTH check before building the ComponentName, which tells you the exploit path depends on feeding abnormally long package/class values into media button receiver state. NVD lists Android 13, 14, 15, and 16 as affected; Google later republished the fix in the June 2026 bulletin for updated AOSP versions 14, 15, 16, and 16-qpr2 after pulling the December 2025 entry because the original fix was incomplete.

The vendor’s HIGH/7.8 score is technically defensible in a sandbox-escape vacuum, but it overstates enterprise urgency. This is AV:L/PR:L: the attacker already needs code running on the device with low privileges, which usually means a malicious app, sideload, or prior foothold. No KEV listing, essentially floor-level EPSS, no public exploit traction, and no network exposure push this down to a fleet-management MEDIUM unless your mobile estate allows broad app installation or you treat Android local EoP chains as part of an active mobile threat model.

"Real bug, real patch, but this is a post-app-execution Android local EoP with no field exploitation signal."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the device

The attacker first needs local code execution in an app context on the target Android device. In practice that means a malicious APK, compromised app update, or an already-compromised user profile; the CVSS AV:L/PR:L reflects this prerequisite. Tooling is mundane here: adb install, enterprise sideload channels, or app-store delivery are enough.
Conditions required:
  • Target runs an affected Android build
  • Attacker can execute code locally in an app context
  • App has at least low privileges on-device
Where this breaks in practice:
  • This is already post-initial-access on the endpoint
  • Managed Play, app allowlisting, and blocked sideloading cut the reachable population sharply
  • BYOD controls and OEM patch lag vary widely, making exploitation consistency worse for attackers
Detection/coverage: Classic vuln scanners will mostly infer exposure from Android version and patch level; they will not see an exploit chain. MDM, EDR-for-mobile, and app-install telemetry are better indicators than perimeter scanning.
STEP 02

Reach the media session code path

The malicious app needs to exercise the media session pathway that stores or restores media button receiver state, ultimately reaching MediaSession.setMediaButtonReceiver(PendingIntent) and the framework holder logic. The public patch indicates the vulnerable area is the framework’s handling of receiver component names during resolution and persistence. A custom APK or test harness is enough; there is no need for exotic exploit tooling.
Conditions required:
  • App can create and register a media-button receiver PendingIntent
  • Framework reaches MediaButtonReceiverHolder.create() / getComponentName() for that intent
Where this breaks in practice:
  • This is a niche framework path, not a universal IPC primitive every app uses
  • PackageManager behavior already blocks some malformed cases, as noted in Google’s patch comments
  • Exploit reliability depends on device/OEM behavior around component resolution and persistence
Detection/coverage: Static detection is weak. Runtime clues would be anomalous media session registration patterns, repeated media-button receiver changes, or logcat warnings after patched builds.
STEP 03

Trigger overlong component-name handling

The exploit attempt relies on feeding unusually long package/name values into component resolution so the framework ends up in the desync/resource-exhaustion condition. Google’s remediation is literally a length cap check and rejection path, which strongly implies the attack depends on abnormal component metadata size rather than normal app behavior. A purpose-built APK is the weaponized tool here.
Conditions required:
  • Component metadata or resolved names can exceed the new 1024-character guardrail on vulnerable builds
  • The framework accepts the resolved component far enough to persist or restore state
Where this breaks in practice:
  • Patched builds now reject oversized names
  • Exploitability appears brittle because the original December 2025 fix was later withdrawn as incomplete
  • Name-length and resource-exhaustion behavior are unlikely to be stable across all OEM integrations
Detection/coverage: On patched devices, the framework logs and ignores oversized component names. On vulnerable devices, there is little pre-exploit signature beyond app/package anomalies.
STEP 04

Convert desync into privilege gain

If the attacker gets the framework into an inconsistent persisted/restored state, they may leverage that mismatch into local privilege escalation within the Android media/session context. The CNA/NVD description says the end state is local EoP with no extra execution privileges or user interaction. That is meaningful, but the blast radius is still one device at a time and only after the attacker is already on-box.
Conditions required:
  • The desync is actually reachable on the specific device build
  • The inconsistent state yields a useful privilege boundary bypass rather than a crash or no-op
Where this breaks in practice:
  • No public exploit evidence suggests this last mile is nontrivial
  • Mobile EDR, app reputation controls, and enterprise app policy should catch many real-world precursor stages
  • This does not provide remote wormability or fleetwide compromise by itself
Detection/coverage: There is no broad signature-based coverage expected. Treat this as a chain component detectable mainly through app provenance, device compromise indicators, and patch-level compliance.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed in-the-wild exploitation found in official sources reviewed; not listed in CISA KEV as of the catalog state checked.
Public exploit / PoCNo public GitHub, Metasploit, Exploit-DB, or Packet Storm PoC surfaced in quick source review; this is an inference from absence of credible public references, not proof none exists.
EPSS0.00006 from the user-supplied intel block — effectively background noise for prioritization.
KEV statusNo; no KEV entry or due date applies.
CVSS vector meaningCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = local attacker, low complexity, low privileges, no user interaction, high impact if successfully chained.
Affected versionsNVD lists Android 13, 14, 15, 16. Google’s later June 2026 bulletin republishes the fix for updated AOSP versions 14, 15, 16, 16-qpr2, so version mapping is messy because the December 2025 fix was later withdrawn.
Fixed versionsOperationally treat devices with Android security patch level 2026-06-05 or later as patched for this issue; Google says 2026-06-05 covers that patch level and all previous ones.
Scanning / exposure dataShodan/Censys/GreyNoise style internet-exposure data is not applicable here: this is an on-device Android Framework local EoP, not a remotely enumerable service.
Disclosure timelineCVE published 2025-12-08. Android Security Bulletin was initially published 2025-12-01, then on 2025-12-17 Google removed CVE-2025-48615 from that bulletin because the fix was incomplete. The issue reappears in the 2026-06-01 bulletin.
Reporting / vendor referenceSource is Android / Google via the Android CNA and AOSP patch trail; public patch commit message: *Check length of MBR component name properties*.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (5.3/10)

The decisive factor is attacker position: this bug starts at local low-privilege code execution on the device, so it is already downstream of app install, sideload, or prior compromise. That sharply narrows the exposed population compared with a remotely reachable Android bug, and there is no exploitation signal to justify treating it like an emergency mobile fleet event.

HIGH Attacker-position downgrade from vendor HIGH to operational MEDIUM
MEDIUM Exact affected-version boundaries because Google withdrew the December 17, 2025 fix as incomplete and republished later

Why this verdict

  • Local attacker only: vendor 7.8 assumes high impact after compromise, but AV:L/PR:L means the attacker already has code running on the endpoint. For enterprise triage, that is a major downward adjustment because it is not an initial-access bug.
  • Reachable population is narrow: the chain requires an affected Android build plus app execution plus a niche media-session code path. Managed Play, blocked sideloading, and app allowlisting materially reduce how many fleet devices can even reach step one.
  • Threat telemetry is cold: no KEV, no credible public PoC surfaced, and EPSS 0.00006 is effectively nil. That does not make the bug fake, but it does make the vendor HIGH feel inflated for Monday-morning patch ordering.
  • Patch history cuts both ways: Google removed the December 17, 2025 bulletin entry because the original fix was incomplete, then reissued the issue in June 2026. That raises confidence the bug matters, but it does not erase the local-only friction.

Why not higher?

There is no remote reachability, no unauthenticated attack path, and no evidence of active exploitation. A 10,000-device enterprise should reserve HIGH/CRITICAL for vulnerabilities that create broad reachable population or urgent threat pressure; this one does neither.

Why not lower?

This is still a real local privilege-escalation class flaw in the Android Framework, not a cosmetic bug. If an attacker does land a malicious app on a vulnerable device, local EoP bugs are exactly what they chain next, so it should not be relegated to backlog hygiene.

05 · Compensating Control

What to do — in priority order.

  1. Block sideloading — Use MDM/EMM policy to disable unknown-source installs and restrict developer options where possible. This attacks the biggest real-world prerequisite — local attacker code on the device — and for a MEDIUM verdict there is no mitigation SLA, so apply it as standard hardening while you work the 365-day remediation window.
  2. Enforce app allowlisting — Require Managed Google Play or an approved enterprise catalog so only vetted packages can run on corporate-owned devices. This meaningfully reduces the fraction of devices that can host the malicious app needed to start the chain; with MEDIUM, there is no mitigation SLA, but it is still the best control if patch uptake lags.
  3. Prioritize high-risk mobile cohorts — Pull forward devices used by executives, admins, field staff, and users with broad app-install latitude, especially BYOD or lightly managed Android fleets. Even without a mitigation SLA, those cohorts deserve earlier remediation because local EoP chains matter more when app trust is weaker.
  4. Audit Android patch compliance — Use MDM or adb-based spot checks to find devices below security patch level 2026-06-05. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but inventory first so the remediation plan is real rather than aspirational.
What doesn't work
  • Perimeter firewalls or WAFs do not help; there is no internet-facing service here.
  • Email security alone is insufficient; phishing may deliver the initial app or link, but the vulnerability itself is a local post-delivery privilege-escalation step.
  • Network vulnerability scanners will not prove exploitability; at best they infer risk from Android version or patch level and miss whether local app-install controls already crush the attack path.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed, not on the device itself. Invoke it as ./check-cve-2025-48615.sh for the only attached device or ./check-cve-2025-48615.sh SERIAL for a specific handset; it needs USB debugging or authorized adb over network, but no root.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check-cve-2025-48615.sh
# Determine likely exposure to CVE-2025-48615 on an Android device via adb.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

SERIAL="${1:-}"
ADB=(adb)
if [ -n "$SERIAL" ]; then
  ADB+=( -s "$SERIAL" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

getprop_safe() {
  local key="$1"
  "${ADB[@]}" shell getprop "$key" 2>/dev/null | tr -d '\r'
}

if ! command -v adb >/dev/null 2>&1; then
  fail_unknown "adb not found in PATH"
fi

STATE=$("${ADB[@]}" get-state 2>/dev/null || true)
if [ "$STATE" != "device" ]; then
  fail_unknown "no authorized adb device detected"
fi

RELEASE=$(getprop_safe ro.build.version.release)
PATCH=$(getprop_safe ro.build.version.security_patch)
BUILDID=$(getprop_safe ro.build.id)
SDK=$(getprop_safe ro.build.version.sdk)

if [ -z "$RELEASE" ] || [ -z "$PATCH" ]; then
  fail_unknown "could not read Android release or security patch level"
fi

# Normalize release to major version where possible (e.g., 14, 15, 16)
MAJOR="${RELEASE%%.*}"
case "$MAJOR" in
  13|14|15|16)
    ;;
  *)
    echo "PATCHED: Android release=$RELEASE build=$BUILDID sdk=$SDK patch=$PATCH (not in known affected major-version set)"
    exit 0
    ;;
esac

# Compare YYYY-MM-DD patch strings numerically.
PATCH_NUM=$(echo "$PATCH" | tr -d '-')
FIX_NUM="20260605"

if ! echo "$PATCH_NUM" | grep -Eq '^[0-9]{8}$'; then
  fail_unknown "unexpected security patch format: $PATCH"
fi

if [ "$PATCH_NUM" -ge "$FIX_NUM" ]; then
  echo "PATCHED: Android release=$RELEASE build=$BUILDID sdk=$SDK patch=$PATCH (>= 2026-06-05)"
  exit 0
fi

echo "VULNERABLE: Android release=$RELEASE build=$BUILDID sdk=$SDK patch=$PATCH (< 2026-06-05)"
exit 1
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a mobile hardening and patch-compliance task, not a fire drill: inventory managed Android devices on releases 14/15/16 first, verify whether OEM updates have brought them to security patch level 2026-06-05 or later, and use MDM to suppress sideloading and unapproved apps where that is not already enforced. Because the reassessed severity is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA, but if you run lightly managed Android, BYOD with broad app installs, or other high-risk mobile cohorts, pull those devices forward in the queue instead of waiting for the slowest carrier cadence.

Sources

  1. NVD entry for CVE-2025-48615
  2. Android Security Bulletin — December 2025
  3. Android Security Bulletin — June 2026
  4. AOSP patch diff for CVE-2025-48615
  5. MediaButtonReceiverHolder.java code path
  6. CISA Known Exploited Vulnerabilities Catalog
  7. FIRST EPSS project
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.