Third-Party Passkey Security Flaw in Android Products by Google
CVE-2025-48640

Currently unrated

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 17 June 2026

What is CVE-2025-48640?

A vulnerability has been identified in Google Android products where a missing permission check allows for third-party passkey entry pairing approval. This flaw can lead to potential adversaries escalating privileges without requiring any extra execution permissions. Notably, this issue can be exploited remotely, meaning that user interaction is not necessary for an attacker to take advantage of this security gap. It is crucial for users to keep their systems updated to mitigate the risks associated with this vulnerability.

Affected Version(s)

Android 17

References

https://source.android.com/docs/security/bulletin/android-17

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 22, 2025

CVE-2025-48640 Data

JSON