CVE-2025-0076 is a low-severity information disclosure vulnerability affecting multiple versions of the Google Android operating system, specifically versions 13, 14, and 15. The vulnerability arises from a missing permission check in several locations within the Android system, which allows a local attacker to view icons belonging to other users on the same device. This flaw is categorized under CWE-862 (Missing Authorization), indicating that the system fails to properly enforce access control policies. Exploitation does not require any additional execution privileges beyond those of a local user, nor does it require any user interaction, making it potentially easier to exploit in multi-user environments. However, the impact is limited to local information disclosure, specifically the ability to view icons associated with other users, which may reveal some metadata or user-specific information but does not compromise system integrity or availability. The CVSS v3.1 base score is 3.3, reflecting low severity due to the limited confidentiality impact, the requirement for local access, and the absence of integrity or availability impacts. There are currently no known exploits in the wild, and no patches have been explicitly linked in the provided information, suggesting that remediation may be pending or integrated into future Android updates. The vulnerability highlights the importance of strict permission checks in multi-user operating systems to prevent unauthorized access to user-specific data, even if that data appears minimal such as icons or UI elements.

For European organizations, the direct impact of CVE-2025-0076 is relatively limited due to its low severity and local scope. However, in environments where Android devices are shared among multiple users—such as in corporate settings with shared devices, kiosks, or public terminals—this vulnerability could lead to inadvertent leakage of user-specific information. Although the disclosed information (icons) may seem trivial, it could potentially be used as part of a larger reconnaissance effort to profile users or infer usage patterns. This could be a privacy concern under regulations like GDPR, especially if combined with other data. The vulnerability does not allow privilege escalation or remote exploitation, so the risk to critical infrastructure or sensitive systems is minimal. Nonetheless, organizations with strict data privacy requirements should consider this vulnerability as part of their overall mobile device security posture. The lack of user interaction requirement means that an attacker with local access could exploit this silently, which may be relevant in insider threat scenarios or in environments with less physical security.

To mitigate CVE-2025-0076, European organizations should ensure that all Android devices are updated to the latest available security patches as soon as Google releases fixes addressing this vulnerability. Until patches are available, organizations should limit physical and local access to Android devices, especially those used in multi-user contexts. Implementing strict device usage policies and employing mobile device management (MDM) solutions can help enforce user separation and monitor for suspicious local activity. Additionally, organizations should audit multi-user configurations on Android devices to minimize unnecessary user accounts and restrict access rights appropriately. For environments where shared devices are necessary, consider deploying custom lockdown or kiosk modes that limit user switching or access to other users' data. Finally, raising user awareness about the risks of shared device usage and enforcing strong authentication mechanisms can reduce the likelihood of exploitation.