Severe StrongBox Vulnerability Patched in Android

The latest Android security updates address only two vulnerabilities: a critical denial-of-service (DoS) issue, and a StrongBox flaw whose impact does not appear to have been disclosed. 

The DoS vulnerability is tracked as CVE-2026-0049 and it affects Android’s Framework component. The weakness can be exploited by a local attacker with no additional execution privileges and without user interaction to cause a DoS condition. 

The second vulnerability affects StrongBox, Android’s hardware-backed secure keystore that adds a higher level of protection for cryptographic keys. 

StrongBox works by storing and managing keys inside a dedicated Secure Element (SE), a separate, tamper-resistant hardware chip that includes its own processor, isolated memory, a hardware-based random number generator, with strong defenses against physical and side-channel attacks.

The StrongBox flaw is tracked as CVE-2025-48651 and it has been assigned a ‘high severity’ rating, but it’s unclear what it can be exploited for. StrongBox vulnerabilities in general could allow key extraction, privilege escalation, or triggering a DoS condition. 

Technical details will likely become available at a later time. 

According to the Android security bulletin, CVE-2025-48651 affects StrongBox implementations from Google, NXP, STMicroelectronics, and Thales. 

Neither of the vulnerabilities appears to have been exploited in the wild.

Related: Android Update Patches Exploited Qualcomm Zero-Day

Related: Android Zero-Days Patched in December 2025 Security Update

Related: Android 17 Beta Strengthens Secure-by-Default Design for Privacy and App Security