CVE-2025-48612

In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not ne...

high 7.8 CVSS 3.1

Published: Dec 8, 2025

Modified: Jun 1, 2026

Vendor: Google

Product: Android

Versions: 13.0,14.0,15.0,16.0

Description

In setDefaultKey of DefaultPaymentSettings.java, there is a possible way for an application to set the main user's default NFC payment setting due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

References

https://source.android.com/docs/security/bulletin/2026/2026-06-01

Related CVEs

CVSS Breakdown

Version	3.1
Score	7.8 / 10
Severity	high

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness (CWE)

CWE-20

Affected Product

Vendor	Google
Product	Android
Versions	13.0,14.0,15.0,16.0