CVE-2025-26453 is a medium-severity information disclosure vulnerability affecting Google Android versions 13, 14, and 15. The flaw exists in the BluetoothOppSendFileInfo.java component, specifically within the isContentUriForOtherUser function. Due to a logic error, the code improperly handles user context checks, resulting in a cross-user data leak. This means that a local attacker with limited privileges (low privileges) can access information belonging to other users on the same device without requiring any additional execution privileges or user interaction. The vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Exploitation requires local access to the device but no user interaction, making it easier for malicious apps or users with limited access to extract sensitive data from other user profiles on the device. The CVSS v3.1 base score is 5.5, reflecting a medium severity level, with a vector indicating local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights a privacy risk in multi-user Android environments, especially on shared devices or devices with multiple profiles, where sensitive information could be exposed across user boundaries due to flawed access control logic in Bluetooth file transfer components.

For European organizations, this vulnerability poses a privacy and data confidentiality risk, particularly in environments where Android devices are shared among multiple users or where multiple user profiles are configured on a single device. Sectors such as healthcare, finance, government, and enterprises with Bring Your Own Device (BYOD) policies could be impacted if sensitive user data is leaked across profiles. Although the attack requires local access and low privileges, insider threats or malicious apps installed on the device could exploit this flaw to access confidential information from other users. This could lead to unauthorized disclosure of personal data, intellectual property, or sensitive corporate information, potentially violating GDPR and other data protection regulations. The lack of required user interaction lowers the barrier for exploitation, increasing risk in environments where devices are physically accessible to multiple users. However, the vulnerability does not affect device integrity or availability, limiting the impact to confidentiality breaches only.

European organizations should implement the following specific mitigations: 1) Enforce strict device access controls to limit local access to authorized users only, reducing the risk of local exploitation. 2) Restrict installation of untrusted or unnecessary applications that could leverage this vulnerability to access other users' data. 3) Monitor and audit multi-user Android devices for unusual access patterns or data exfiltration attempts. 4) Apply security policies that disable or limit multi-user profiles on corporate devices unless absolutely necessary. 5) Stay informed about official patches or updates from Google and prioritize timely deployment once available. 6) Use Mobile Device Management (MDM) solutions to enforce security configurations and restrict Bluetooth file transfer features if not required. 7) Educate users about the risks of sharing devices and the importance of maintaining separate user profiles with appropriate permissions. These targeted measures go beyond generic advice by focusing on controlling local access, application permissions, and device configuration to mitigate the specific cross-user data leak risk.