CVE-2025-22428 is a logic error vulnerability found in the hasInteractAcrossUsersFullPermission method of the AppInfoBase.java component in Google Android versions 13, 14, and 15. The flaw allows an application running under a secondary user profile to improperly inherit permissions from the primary user profile due to insufficient permission checks. This results in a local elevation of privilege without requiring additional execution privileges or user interaction, making it easier for attackers with limited access to escalate their privileges on the device. The vulnerability is categorized under CWE-863, which relates to improper authorization. The CVSS v3.1 base score is 7.8, reflecting high severity with impacts on confidentiality, integrity, and availability (all rated high). The attack vector is local (AV:L), requiring low attack complexity (AC:L), and low privileges (PR:L), with no user interaction (UI:N). The vulnerability affects Android’s multi-user environment, which is commonly used in shared devices or enterprise settings. No patches have been released at the time of this report, and no known exploits are currently observed in the wild. The flaw could be exploited by malicious apps or users to gain unauthorized access to sensitive data or system functions, potentially compromising device security and user privacy.

The vulnerability allows local attackers with limited privileges on secondary user profiles to escalate their permissions to those of the primary user, potentially gaining access to sensitive data, system settings, or administrative functions. This can lead to unauthorized data disclosure, modification, or deletion, and may allow installation of persistent malware or disruption of device operations. Organizations using Android devices in multi-user configurations, such as shared corporate devices or kiosks, face increased risk of insider threats or compromised user accounts. The lack of required user interaction facilitates stealthy exploitation, increasing the likelihood of undetected privilege escalation. This could undermine trust in device security, lead to data breaches, and impact compliance with data protection regulations. The vulnerability’s high CVSS score indicates a significant risk to confidentiality, integrity, and availability, potentially affecting critical business and personal data on affected devices.

Until official patches are released, organizations should implement strict controls on app installations and permissions for secondary user profiles, limiting the ability to install untrusted or unnecessary applications. Employ mobile device management (MDM) solutions to enforce policies that restrict secondary user creation or usage on corporate devices. Monitor device logs for unusual permission changes or privilege escalations originating from secondary profiles. Educate users about the risks of installing apps from untrusted sources, especially on secondary accounts. Once patches become available, prioritize immediate deployment across all affected Android versions (13, 14, and 15). Consider disabling multi-user functionality on devices where it is not essential to reduce the attack surface. Regularly audit device configurations and permissions to detect and remediate any unauthorized changes. Additionally, implement endpoint detection and response (EDR) tools capable of identifying suspicious local privilege escalation behaviors on Android devices.