CVE-2025-32346 is a vulnerability in Google Android 16, specifically within the onActivityResult method of the VoicemailSettingsActivity.java component. The flaw is classified as a confused deputy problem (CWE-441), where the application improperly handles permissions or authority, leading to unintended information disclosure. In this case, the vulnerability can cause leakage of work profile contact numbers, which are typically segregated for privacy and security reasons. The flaw allows a local attacker, without needing additional execution privileges or user interaction, to escalate their privileges on the device. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that the attack requires local access with low complexity, minimal privileges, and no user interaction, but results in high impact on confidentiality, integrity, and availability. This suggests that an attacker with limited access could gain significant control or access to sensitive data. The vulnerability is currently published but lacks an official patch or known exploits in the wild. The affected component is part of Android’s voicemail settings, which may be leveraged to bypass work profile isolation mechanisms, undermining enterprise security policies that rely on profile separation.

The vulnerability poses a significant risk to organizations and individuals using Android 16 devices, especially those employing work profiles to separate personal and corporate data. Leakage of work profile contact numbers can expose sensitive corporate information, potentially leading to targeted social engineering or further attacks. The elevation of privilege aspect means attackers can gain unauthorized access to higher privilege levels, potentially compromising device integrity and availability. This could facilitate installation of malicious software, data exfiltration, or disruption of device functions. Enterprises relying on Android devices for secure communications and data segregation are particularly at risk, as this vulnerability undermines the security boundary between personal and work profiles. The lack of required user interaction increases the likelihood of exploitation in environments where local access is possible, such as shared devices or compromised endpoints.

Until an official patch is released, organizations should enforce strict local device access controls, including strong authentication and device encryption to limit local attacker opportunities. Employ Mobile Device Management (MDM) solutions to monitor and restrict application permissions related to voicemail and contact access. Disable or restrict work profile features where feasible to reduce attack surface. Regularly audit device configurations and logs for suspicious activity related to voicemail settings or contact access. Educate users about the risks of local device access by untrusted parties. Once patches become available, prioritize immediate deployment on all affected Android 16 devices. Additionally, consider implementing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions capable of detecting anomalous privilege escalation attempts on mobile devices.