CVE-2025-48526 is a medium-severity local privilege escalation vulnerability affecting Google Android versions 13 through 16. The flaw exists in the createMultiProfilePagerAdapter method of the ChooserActivity.java component. Due to improper input validation, a malicious app can launch the ChooserActivity in another user profile on the same device. This behavior allows the attacker to escalate privileges locally without requiring any additional execution privileges or user interaction. The vulnerability is classified under CWE-266, which relates to improper access control. Exploitation does not require prior authentication or user involvement, making it more accessible for local attackers. However, the attack vector is local, meaning the attacker must have the ability to run code on the device already. The impact is limited to confidentiality, as the attacker can access resources or activities in other profiles, but it does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The CVSS v3.1 base score is 4.0, reflecting a low complexity attack with limited impact scope and no user interaction needed.

For European organizations, this vulnerability poses a risk primarily in environments where Android devices are used with multiple user profiles, such as corporate devices shared among employees or devices with work profiles managed via enterprise mobility management (EMM) solutions. An attacker with local access to a device could leverage this flaw to access data or applications in other profiles, potentially bypassing intended access controls. This could lead to unauthorized access to sensitive corporate information stored in separate profiles or work containers. Although the vulnerability does not allow full system compromise or remote exploitation, it undermines the security boundaries between profiles, which may be critical in regulated industries such as finance, healthcare, or government sectors prevalent in Europe. The lack of user interaction requirement increases the risk of stealthy exploitation. However, the necessity for local code execution limits the threat mainly to insider threats or scenarios where devices are physically compromised.

European organizations should prioritize the following mitigations: 1) Ensure all Android devices are updated to the latest available security patches as soon as Google releases a fix for this vulnerability. 2) Enforce strict device usage policies that limit installation of untrusted or unknown applications to reduce the risk of malicious apps gaining local execution. 3) Use Mobile Device Management (MDM) or Enterprise Mobility Management (EMM) solutions to control app permissions and profile configurations, restricting cross-profile interactions where possible. 4) Monitor devices for unusual activity indicative of privilege escalation attempts, such as unexpected launches of ChooserActivity or profile switching. 5) Educate users on the risks of installing apps from unofficial sources and the importance of device security hygiene. 6) Consider disabling multi-profile features on corporate devices if not required, to reduce the attack surface. 7) Implement endpoint detection and response (EDR) tools capable of detecting local privilege escalation behaviors on Android devices.