cnvd - cnvd-2025-20000

CNVD-2025-20000

Vulnerability from cnvd - Published: 2025-09-02

Title

Google Android TV存在未明漏洞

Description

Google Android TV是美国谷歌（Google）公司的一个电视操作系统应用。 Google Android TV存在安全漏洞，攻击者可利用该漏洞可能导致任意活动启动。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60309

Reference

https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60309

Impacted products

Name
Google Android TV

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-8192",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-8192"
    }
  },
  "description": "Google Android TV\u662f\u7f8e\u56fd\u8c37\u6b4c\uff08Google\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u7535\u89c6\u64cd\u4f5c\u7cfb\u7edf\u5e94\u7528\u3002\n\nGoogle Android TV\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u80fd\u5bfc\u81f4\u4efb\u610f\u6d3b\u52a8\u542f\u52a8\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://defcon.org/html/defcon-33/dc-33-speakers.html#content_60309",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-20000",
  "openTime": "2025-09-02",
  "products": {
    "product": "Google Android TV"
  },
  "referenceLink": "https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60309",
  "serverity": "\u4e2d",
  "submitTime": "2025-08-11",
  "title": "Google Android TV\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2025-8192 (GCVE-0-2025-8192)

Vulnerability from cvelistv5 – Published: 2025-07-31 08:24 – Updated: 2025-07-31 13:20

Title

Race condition in AndroidTV TvSettings

Summary

There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings’ context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component’s state, thus bypass the original security sanitize function.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N

CWE

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Assigner

Google

References

URL

Tags

https://defcon.org/html/defcon-33/dc-33-speakers.…

Impacted products

	Vendor	Product	Version
	Android	TV	Affected: 0

Credits

Qidan He

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8192",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-31T13:20:05.260633Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-31T13:20:16.832Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cs.android.com/android/platform/superproject/main/+/main:packages/apps/TvSettings/Settings/src/com/android/tv/",
          "defaultStatus": "unaffected",
          "product": "TV",
          "programFiles": [
            "packages/apps/TvSettings/Settings/src/com/android/tv/settings/users/AppRestrictionsFragment.java"
          ],
          "vendor": "Android",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qidan He"
        }
      ],
      "datePublic": "2025-06-10T22:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThere exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings\u2019 context, i.e. system-uid context, thus lead to launchAnyWhere. T\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehe core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component\u2019s state, thus bypass the original security sanitize function.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings\u2019 context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component\u2019s state, thus bypass the original security sanitize function."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-31T08:24:26.612Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60309"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Race condition in AndroidTV TvSettings",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2025-8192",
    "datePublished": "2025-07-31T08:24:26.612Z",
    "dateReserved": "2025-07-25T08:57:20.782Z",
    "dateUpdated": "2025-07-31T13:20:16.832Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-20000

CVE-2025-8192 (GCVE-0-2025-8192)

Tags

Sightings

Nomenclature