CVE-2025-48526 is a local elevation of privilege vulnerability affecting Google Android versions 13 through 16. The flaw exists in the createMultiProfilePagerAdapter method within the ChooserActivity.java component. Specifically, improper input validation allows a malicious application to launch the ChooserActivity in another user profile on the same device. This cross-profile activity launch bypasses intended security boundaries between user profiles. Exploitation does not require any additional execution privileges beyond those already granted to the malicious app, nor does it require any user interaction, making it a stealthy and potentially reliable attack vector. By leveraging this vulnerability, an attacker could escalate their privileges locally, gaining access to resources or data in other profiles that should be isolated. Since Android supports multiple user profiles to separate work and personal data or multiple users on the same device, this vulnerability undermines the fundamental security model of profile isolation. The vulnerability was reserved in May 2025 and published in September 2025, with no known exploits in the wild at the time of disclosure. No CVSS score has been assigned yet, and no patches or mitigations have been officially linked, indicating that affected users and organizations should prioritize monitoring for updates and consider interim mitigations. The vulnerability's impact is significant because it allows privilege escalation without user interaction or additional privileges, increasing the risk of unauthorized data access or control over other profiles on the device.

For European organizations, this vulnerability poses a risk primarily on Android devices used within corporate environments that utilize multiple user profiles, such as BYOD (Bring Your Own Device) policies or devices shared among employees. The ability for a malicious app to escalate privileges across profiles could lead to unauthorized access to sensitive corporate data, breach of privacy regulations such as GDPR, and potential lateral movement within enterprise mobile environments. Since user interaction is not required, the attack could be automated or triggered silently, increasing the risk of undetected compromise. The impact extends to sectors with high mobile device usage and strict data protection requirements, including finance, healthcare, and government agencies. Additionally, the vulnerability could be exploited to bypass security controls implemented via profile separation, undermining mobile device management (MDM) solutions that rely on profile isolation. This could result in data leakage, unauthorized access to corporate apps, or manipulation of device settings, ultimately affecting organizational security posture and compliance.

Given the absence of an official patch at the time of disclosure, European organizations should implement the following specific mitigations: 1) Restrict installation of untrusted or third-party applications by enforcing strict app vetting and using enterprise app stores or Mobile Application Management (MAM) solutions. 2) Employ Mobile Device Management (MDM) policies to limit the creation and use of multiple profiles on corporate devices, or disable secondary profiles where feasible. 3) Monitor device logs and behavior for unusual activity related to profile switching or ChooserActivity launches, leveraging endpoint detection and response (EDR) tools tailored for mobile devices. 4) Educate users on the risks of installing apps from unknown sources and encourage adherence to corporate security policies. 5) Maintain up-to-date inventories of Android devices and their OS versions to prioritize upgrades once patches become available. 6) Collaborate with Google and device vendors to expedite patch deployment and validate remediation. 7) Consider deploying application sandboxing or containerization solutions that add an additional layer of isolation beyond Android profiles. These targeted mitigations go beyond generic advice by focusing on controlling profile usage, app installation policies, and proactive monitoring specific to the vulnerability's exploitation vector.