CVE-2025-48633- Improper use of Binder identity manipulation in system code (18th Dec 2025)

Official announcement:  December 1, 2025 | Updated December 4, 2025

Preface: The improper use of Binder identity manipulation in Android system code refers to a class of security vulnerabilities where a malicious application or process can spoof its identity (specifically its User ID and Process ID) when communicating with a trusted system service via the Binder Inter-Process Communication (IPC) mechanism. This deception can allow a lower-privileged application to bypass security checks and execute sensitive operations with the privileges of a legitimate, trusted system process

Before the remedy – The code iterated through each user profile and created a context for that user. It then called AccountManager.getAccounts() for that specific user context. This means the check was per-user, and the caller only saw accounts for the user context it created. However, because the code temporarily cleared the Binder identity (Binder.clearCallingIdentity()), it was operating with system-level privileges during that loop. If misused, this could allow a component to access accounts across users, which is a privilege escalation risk.

What was the vulnerability?

The issue was in the Android system code that checked whether any accounts existed on the device. Please refer to the attached diagram for details.

Official announcement: For more details, please refer to the following link – https://source.android.com/docs/security/bulletin/2025-12-01