Introduction
Attackers can silently access images belonging to other users on a shared Android device, bypassing the platform's user isolation controls. This vulnerability, tracked as CVE-2025-32320, impacts Android 16 System UI and enables local privilege escalation without any user interaction or additional execution privileges.
Android is the world's most widely used mobile operating system, powering billions of smartphones and tablets globally. Google, as the primary developer, maintains Android's security through monthly bulletins and coordinates with device manufacturers and carriers for patch distribution.
Technical Information
CVE-2025-32320 is a confused deputy vulnerability (CWE-441) in the System UI component of Android 16. The flaw allows a local attacker to view images from other user profiles on the same device. The root cause is improper privilege boundary validation in System UI's media handling routines. When processing image access requests, System UI fails to adequately verify the requesting user's context, enabling crafted requests or manipulated system state to access images outside the attacker's own profile.
No user interaction is required for exploitation. The vulnerability does not require additional execution privileges, making it possible for a local attacker or malicious app to exploit the flaw silently. The issue fundamentally undermines Android's multi-user isolation, which is designed to keep user data separated on shared devices.
No public code snippets or vulnerable code fragments have been disclosed for this issue.
Patch Information
In the September 2025 Android Security Bulletin, Google addressed two critical vulnerabilities that were actively exploited in the wild: CVE-2025-38352 and CVE-2025-48543. (bleepingcomputer.com)
CVE-2025-38352: Kernel Race Condition
This vulnerability resided in the Linux kernel's handling of POSIX CPU timers. A race condition between handle_posix_cpu_timers()
and posix_cpu_timer_del()
could allow an attacker to escalate privileges or destabilize the system. The patch introduced synchronization mechanisms to prevent concurrent access to these functions, ensuring that timer operations are handled safely without overlapping during task exits.
CVE-2025-48543: Android Runtime Privilege Escalation
This flaw affected the Android Runtime (ART), where a malicious application could exploit the vulnerability to gain elevated privileges without user interaction. The fix involved enhancing the security checks within ART to prevent unauthorized access and ensure that applications operate within their designated privilege levels.
By implementing these patches, Google has fortified the Android platform against these specific threats, enhancing the overall security and stability of the system.
Affected Systems and Versions
- Android 16 System UI is directly affected
- Devices running Android 16 prior to the September 2025 security patch level (2025-09-05) are vulnerable
- Multi-user configurations are specifically at risk
Vendor Security History
Google has a mature vulnerability management program for Android, with monthly security bulletins and a history of addressing confused deputy and privilege escalation vulnerabilities. Similar issues (CWE-441) have been patched in previous Android releases. Patch response for Google devices is typically prompt, but delays can occur for devices managed by OEMs and carriers.