CVE-2025-22423 Overview
CVE-2025-22423 is a high-severity out-of-bounds read vulnerability [CWE-125] in the Android Digital Negative (DNG) Software Development Kit. The flaw resides in the ParseTag function of dng_ifd.cpp, where a missing bounds check allows a malformed DNG image to crash the image renderer. Remote attackers can trigger a denial-of-service condition without user interaction and without elevated privileges. The vulnerability affects Android 13, 14, and 15, and Google addressed it in the April 2025 Android Security Bulletin.
Critical Impact
Remote attackers can crash the Android image rendering process by delivering a crafted DNG file, resulting in denial of service across affected Android 13, 14, and 15 devices.
Affected Products
- Google Android 13.0
- Google Android 14.0
- Google Android 15.0
Discovery Timeline
- 2025-09-02 - CVE-2025-22423 published to the National Vulnerability Database
- 2025-09-04 - Last updated in NVD database
Technical Details for CVE-2025-22423
Vulnerability Analysis
The vulnerability is an out-of-bounds read in the Android DNG SDK, a library used to parse Adobe Digital Negative raw image files. The defective code path is the ParseTag routine in dng_ifd.cpp, which processes Image File Directory (IFD) tags embedded within DNG containers.
When the parser reads tag-specific fields, it fails to validate that the requested offset or length stays within the bounds of the source buffer. A crafted DNG file containing manipulated tag metadata forces the parser to read beyond the allocated buffer, producing an invalid memory access that terminates the image renderer process.
The vulnerability does not yield confidentiality or integrity impact, but the availability impact is high because the image renderer is invoked by many system and application surfaces, including messaging apps, gallery previews, and thumbnail generation.
Root Cause
The root cause is a missing bounds check inside ParseTag in dng_ifd.cpp. The function trusts attacker-controlled size and offset fields parsed from the DNG IFD without validating them against the underlying stream length. Google's upstream fix in the Android DNG SDK introduces the required validation before the read operation.
Attack Vector
The attack vector is network-based and requires no user interaction. An attacker delivers a malicious DNG file through any channel that triggers image parsing, such as messaging applications, email attachments, web content, or push notifications that auto-render media. When the Android renderer parses the file, the out-of-bounds read crashes the process. Repeated delivery can result in sustained denial of service against the targeted device.
No public proof-of-concept or exploit code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-22423
Indicators of Compromise
- Repeated crashes of Android image rendering processes or media-handling system services when opening or previewing image attachments.
- DNG (.dng) files received via messaging, email, or download with abnormally large or malformed IFD tag structures.
- Application crash logs referencing dng_sdk, dng_ifd, or ParseTag frames in native stack traces.
Detection Strategies
- Inspect inbound files at email and messaging gateways for DNG containers and validate IFD tag offsets against declared file size before delivery.
- Correlate Android tombstone or logcat crash signatures involving the DNG SDK with the source application and originating sender.
- Monitor mobile device management (MDM) telemetry for unpatched Android builds predating the April 2025 security patch level.
Monitoring Recommendations
- Track the Android security patch level on managed devices and alert when devices remain below the 2025-04-01 patch level.
- Forward mobile crash telemetry to a centralized log platform and build detections for repeated native crashes in image rendering components.
- Review messaging and email gateway logs for inbound DNG files originating from untrusted senders.
How to Mitigate CVE-2025-22423
Immediate Actions Required
- Apply the April 2025 Android security update (patch level 2025-04-01 or later) on all Android 13, 14, and 15 devices.
- Enforce minimum Android patch level requirements through MDM and block enrollment of devices on outdated builds.
- Restrict auto-download and auto-render of media attachments in messaging and email clients on managed devices.
Patch Information
Google published the fix in the Android Security Bulletin April 2025. The upstream code change for the Android DNG SDK adds the missing bounds validation in ParseTag and is available in the Android DNG SDK Update. Device manufacturers ship the fix as part of monthly Android security patch updates, so end users must install the OEM update that includes the 2025-04-01 patch level.
Workarounds
- Disable automatic media preview and download in messaging applications until the security patch is installed.
- Avoid opening DNG files received from untrusted or unverified sources.
- Use mobile threat defense tooling to scan inbound attachments and block DNG files at the gateway where image rendering is not required.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2025-04-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
