CVE-2025-48590 is a denial of service vulnerability identified in Google Android operating system versions 13 through 16. The flaw exists in the verifyAndGetBypass method within AppOpsService.java, a component responsible for managing app operation permissions. A malicious application can exploit this vulnerability by causing resource exhaustion, which under certain limited conditions prevents the device from dialing emergency services. This attack does not require user interaction and can be executed with only limited privileges, meaning a low-privilege app installed on the device can trigger the denial of service. The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the root cause is the improper handling of resource allocation leading to exhaustion. The impact is a local denial of service affecting the availability of emergency call functionality, a critical safety feature on mobile devices. The CVSS v3.1 score is 5.5 (medium severity), reflecting the lack of impact on confidentiality or integrity but a significant impact on availability. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability poses a serious risk to users relying on Android devices for emergency communications. The issue highlights the importance of robust resource management in security-sensitive components of mobile operating systems.

For European organizations, this vulnerability poses a significant risk to the availability of emergency communication services on Android devices. Emergency call functionality is critical for personal safety, workplace health and safety compliance, and emergency response coordination. Disruption of this service could delay or prevent timely access to emergency responders, potentially leading to severe consequences in life-threatening situations. Organizations that provide mobile devices to employees, especially in sectors such as healthcare, public safety, transportation, and critical infrastructure, may face increased liability and operational risk. Additionally, the vulnerability could be exploited in targeted attacks to disrupt emergency services in specific locations or organizations. Although the attack requires local access and limited privileges, the widespread use of Android devices in Europe increases the attack surface. The lack of user interaction requirement further lowers the barrier for exploitation. Overall, the impact is primarily on availability, with potential indirect effects on organizational safety and compliance.

1. Restrict installation of untrusted or potentially malicious applications by enforcing strict app store policies and using mobile device management (MDM) solutions to control app deployment. 2. Monitor and audit app permissions regularly to detect and remove apps with suspicious behavior or excessive privileges. 3. Educate users about the risks of installing apps from unknown sources and encourage the use of official app stores only. 4. Implement runtime monitoring tools that can detect abnormal resource consumption patterns indicative of exploitation attempts. 5. Prepare to deploy security patches promptly once Google releases an official fix for this vulnerability. 6. Consider deploying emergency call redundancy solutions, such as alternative communication apps or devices, especially in critical operational environments. 7. Coordinate with mobile carriers and emergency service providers to ensure rapid incident response if denial of service is detected. 8. Conduct regular security assessments and penetration testing focusing on mobile device security to identify and remediate similar vulnerabilities proactively.