CVE-2025-32320 is a high-severity elevation of privilege vulnerability affecting Google Android version 16, specifically within the System UI component. The vulnerability arises from a confused deputy scenario, where the System UI improperly handles access control, allowing a local attacker to view images belonging to other users on the device. This flaw enables an attacker with limited privileges to escalate their access rights without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-441 (Incorrect Resource Transfer Between Spheres), indicating that the System UI component inadvertently exposes resources across user boundaries. Exploitation requires local access to the device but does not need the attacker to trick the user or gain higher privileges initially. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of user images and the potential for further privilege escalation or data leakage on affected devices.

For European organizations, this vulnerability presents a notable risk, especially for enterprises and government entities that issue Android 16 devices to employees. The ability for a local attacker to access other users' images could lead to unauthorized disclosure of sensitive or confidential information, violating data protection regulations such as GDPR. Furthermore, the elevation of privilege could be leveraged as a foothold for more extensive attacks, including lateral movement within corporate environments or espionage activities. The lack of required user interaction lowers the barrier for exploitation, increasing the threat level in environments where devices might be shared or physically accessible by untrusted individuals. This vulnerability could also impact sectors with high privacy requirements, such as healthcare, finance, and public administration, where image data might contain personally identifiable information or sensitive operational details.

To mitigate CVE-2025-32320, organizations should prioritize updating all Android 16 devices to the latest security patches once Google releases a fix. In the interim, organizations should enforce strict physical security controls to limit local access to devices, including policies against device sharing and use of strong device lock mechanisms (PIN, biometric). Employ Mobile Device Management (MDM) solutions to monitor device compliance and restrict installation of untrusted applications that could attempt to exploit local vulnerabilities. Additionally, organizations should audit and restrict System UI permissions where possible and educate users on the risks of leaving devices unattended. For high-security environments, consider deploying endpoint detection and response (EDR) tools capable of identifying anomalous local privilege escalation attempts. Finally, maintain an inventory of affected devices and plan for rapid incident response should exploitation be detected.