Filtered by vendor Google
Subscriptions
Filtered by product Android
Subscriptions
Total
8750 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-20979 | 1 Google | 1 Android | 2025-10-02 | 8.4 High |
| Out-of-bounds write in libsavscmn prior to Android 15 allows local attackers to execute arbitrary code. | ||||
| CVE-2023-21482 | 2 Google, Samsung | 4 Android, Camera, Mobile and 1 more | 2025-10-01 | 6.1 Medium |
| Missing authorization vulnerability in Camera prior to versions 11.1.02.18 in Android 11, 12.1.03.8 in Android 12 and 13.1.01.4 in Android 13 allows physical attackers to install package through Galaxy store before completion of Setup wizard. | ||||
| CVE-2025-47967 | 2 Google, Microsoft | 3 Android, Edge, Edge Chromium | 2025-10-01 | 4.7 Medium |
| Insufficient ui warning of dangerous operations in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-57197 | 2 Google, Payeer | 2 Android, Payeer App | 2025-09-30 | 6 Medium |
| In the Payeer Android application 2.5.0, an improper access control vulnerability exists in the authentication flow for the PIN change feature. A local attacker with root access to the device can dynamically instrument the app to bypass the current PIN verification check and directly modify the authentication PIN. This allows unauthorized users to change PIN without knowing the original/current PIN. | ||||
| CVE-2021-39810 | 1 Google | 1 Android | 2025-09-30 | 7.8 High |
| In verifyDefaults of CardEmulationManager.java, there is a possible way to set a third party app as the default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2023-21342 | 1 Google | 1 Android | 2025-09-30 | 7.8 High |
| In RemoteSpeechRecognitionService of RemoteSpeechRecognitionService.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-34739 | 1 Google | 1 Android | 2025-09-29 | 7.8 High |
| In shouldRestrictOverlayActivities of UsbProfileGroupSettingsManager.java, there is a possible escape from SUW due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-36890 | 1 Google | 1 Android | 2025-09-29 | 9.8 Critical |
| Elevation of Privilege | ||||
| CVE-2025-26442 | 1 Google | 1 Android | 2025-09-29 | 5.5 Medium |
| In onCreate of NotificationAccessConfirmationActivity.java, there is a possible incorrect verification of proper intent filters in NLS due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-26436 | 1 Google | 1 Android | 2025-09-29 | 7.8 High |
| In clearAllowBgActivityStarts of PendingIntentRecord.java, there is a possible way for an application to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-26435 | 1 Google | 1 Android | 2025-09-29 | 7.8 High |
| In updateState of ContentProtectionTogglePreferenceController.java, there is a possible way for a secondary user to disable the primary user's deceptive app scanning setting due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-26430 | 1 Google | 1 Android | 2025-09-29 | 7.8 High |
| In getDestinationForApp of SpaAppBridgeActivity, there is a possible cross-user file reveal due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-21035 | 2 Google, Samsung | 5 Android, Calendar, Mobile and 2 more | 2025-09-29 | 4.6 Medium |
| Improper access control in Samsung Calendar prior to version 12.5.06.5 in Android 14 and 12.6.01.12 in Android 15 allows physical attackers to access data across multiple user profiles. | ||||
| CVE-2024-53647 | 3 Apple, Google, Trendmicro | 4 Iphone Os, Android, Id Security and 1 more | 2025-09-29 | 6.5 Medium |
| Trend Micro ID Security, version 3.0 and below contains a vulnerability that could allow an attacker to send an unlimited number of email verification requests without any restriction, potentially leading to abuse or denial of service. | ||||
| CVE-2024-56189 | 1 Google | 1 Android | 2025-09-26 | 6.5 Medium |
| In SAEMM_DiscloseMsId of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure post authentication with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48562 | 1 Google | 1 Android | 2025-09-26 | 5 Medium |
| In writeContent of RemotePrintDocument.java, there is a possible information disclosure due to a logic error. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2025-48561 | 1 Google | 1 Android | 2025-09-26 | 5.5 Medium |
| In multiple locations, there is a possible way to access data displayed on the screen due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-47329 | 2 Google, Qualcomm | 78 Android, Fastconnect 7800, Fastconnect 7800 Firmware and 75 more | 2025-09-25 | 7.8 High |
| Memory corruption while handling invalid inputs in application info setup. | ||||
| CVE-2025-10184 | 2 Google, Oneplus | 2 Android, Oxygenos | 2025-09-25 | N/A |
| The vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider without permission, user interaction, or consent. The user is also not notified that SMS data is being accessed. This could lead to sensitive information disclosure and could effectively break the security provided by SMS-based Multi-Factor Authentication (MFA) checks. The root cause is a combination of missing permissions for write operations in several content providers (com.android.providers.telephony.PushMessageProvider, com.android.providers.telephony.PushShopProvider, com.android.providers.telephony.ServiceNumberProvider), and a blind SQL injection in the update method of those providers. | ||||
| CVE-2024-11358 | 2 Google, Mattermost | 3 Android, Mattermost, Mattermost Mobile | 2025-09-24 | 5.7 Medium |
| Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider. | ||||