Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to access URIs belonging to other users on the device due to a logic error across multiple functions in ComputerEngine.java. No user interaction or additional execution privileges are required, but exploitation is local and currently no public exploit is identified at time of analysis (EPSS 0.12%, SSVC exploitation: none).
Technical ContextAI
The flaw resides in ComputerEngine.java, a component of the Android PackageManager service stack responsible for resolving and querying package and content URI information across the multi-user framework. Android isolates data between users (work profiles, secondary users, guest accounts) via UID/user-ID boundaries enforced through permission checks on URI grants. The CWE-284 (Improper Access Control) classification indicates that one or more code paths in this engine fail to correctly validate cross-user URI access, breaking the user-isolation boundary that Android's multi-user model depends on. Per CPE data, the affected product is Google Android across multiple major releases.
RemediationAI
Apply the Android Security Bulletin patch level dated 2026-06-01 or later, available via the June 2026 Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM-shipped patches will roll out on the device manufacturer's schedule, so enterprise fleets should verify the security patch level (Settings → About → Android security update) reflects 2026-06-01 or newer. No vendor-released patched build version is independently confirmed in the supplied data beyond the bulletin date reference. As a compensating control until patched OEM builds reach devices, restrict sideloading via MDM (disallow installation from unknown sources) and review managed Google Play allowlists to reduce the risk of a malicious local app being present; on multi-user/work-profile deployments, minimize the use of secondary users carrying sensitive data on unpatched devices, accepting the trade-off of reduced profile separation features.
Same weakness CWE-284 – Improper Access Control
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210009
GHSA-jmw3-jmqp-jvmp