Permission Check Flaw in Android Recovery System Allows Unauthorized Factory Reset
CVE-2025-48614

Currently unrated

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 8 December 2025

What is CVE-2025-48614?

A security vulnerability exists in the Recovery System of Android devices where a missing permission check in the rebootWipeUserData function could allow unauthorized users to perform a factory reset while the device is in DSU mode. This flaw could potentially lead to a physical denial of service, enabling exploitation without requiring additional execution privileges or user interaction. Users should ensure their devices are updated to mitigate this risk.

Affected Version(s)

Android 16

Android 15

Android 14

References

https://android.googlesource.com/platform/frameworks/base...

https://source.android.com/security/bulletin/2025-12-01

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 8, 2025
Vulnerability Reserved
May 22, 2025

JSON

Google

What is CVE-2025-48614?

Affected Version(s)

References

Timeline