Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.8

Android Media App Allows Unauthorized File Writing

CVE-2025-48578 ASB-A-418225717
Summary

A security issue in Android media apps could allow malicious files to be written to a device without permission. This means that an attacker could potentially steal sensitive data or spread malware. To fix this, the affected apps need to be updated to include proper permission checks.

What to do
  • Update google platform/packages/providers/mediaprovider to version 16-qpr2-next:2026-03-01.
  • Update google platform/packages/providers/mediaprovider to version 15:2026-03-01.
  • Update google platform/packages/providers/mediaprovider to version 16:2026-03-01.
  • Update google platform/packages/providers/mediaprovider to version 14:2026-03-01.
Affected software
VendorProductAffected versionsFix available
google android 14.0
google android 15.0
google android 16.0
google platform/packages/providers/mediaprovider > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 16-qpr2-next:2026-03-01
google platform/packages/providers/mediaprovider > 15:0 , <= 15:2026-03-01 15:2026-03-01
google platform/packages/providers/mediaprovider > 16:0 , <= 16:2026-03-01 16:2026-03-01
google platform/packages/providers/mediaprovider > 14:0 , <= 14:2026-03-01 14:2026-03-01
Original title
In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a missing permission check. This could lead to local escalation of privil...
Original description
In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITE_EXTERNAL_STORAGE permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
nvd CVSS3.1 7.8
Vulnerability type
CWE-862 Missing Authorization
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026