Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
Android App Can Delete Files with Read-Only Access
CVE-2025-48619
ASB-A-414387646
Summary
An issue in ContentProvider.java allows an app with limited access to delete files, potentially causing data loss. This can happen without the user needing to do anything, and doesn't require the app to have extra permissions. Update ContentProvider.java to fix the issue and prevent this problem.
What to do
- Update google platform/frameworks/base to version 16-qpr2-next:2026-03-01.
- Update google platform/frameworks/base to version 15:2026-03-01.
- Update google platform/frameworks/base to version 16:2026-03-01.
- Update google platform/frameworks/base to version 14:2026-03-01.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| android | 14.0 | – | |
| android | 15.0 | – | |
| android | 16.0 | – | |
| platform/frameworks/base | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/frameworks/base | > 15:0 , <= 15:2026-03-01 | 15:2026-03-01 | |
| platform/frameworks/base | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/frameworks/base | > 14:0 , <= 14:2026-03-01 | 14:2026-03-01 |
Original title
In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of pr...
Original description
In multiple functions of ContentProvider.java, there is a possible way for an app with read-only access to truncate files due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
nvd CVSS3.1
8.4
Vulnerability type
CWE-284
Improper Access Control
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026