Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to launch background activities without the required permission check, enabling elevation to higher-privileged execution contexts without user interaction. The flaw, tracked as EUVD-2025-210011 and addressed in the June 2026 Android Security Bulletin, carries a CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N) with high impact across confidentiality, integrity, and availability; no public exploit identified at time of analysis and EPSS is 0.01%, indicating very low predicted exploitation probability in the near term.
Technical ContextAI
The issue resides in Android's activity lifecycle controls, specifically in the background activity launch (BAL) restrictions that Android has progressively tightened since Android 10 to prevent malicious apps from displaying UI or executing code in privileged contexts while not in the foreground. According to the description, multiple code paths fail to perform a permission check before allowing a background activity launch, which is functionally a missing authorization (CWE-862 class, though CWE is listed as N/A in the input). The affected CPE is cpe:2.3:a:google:android (framework/platform component), spanning Android 14 through 16-qpr2, suggesting the regression or oversight exists across several major platform releases and was likely identified during internal review or external researcher disclosure feeding into the AOSP security bulletin process.
RemediationAI
Apply the Android June 2026 security patch level (2026-06-01 or later) as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01 - this is the vendor-released patch path for Android 14, 15, 16, and 16-qpr2. For managed fleets, enforce SPL >= 2026-06-01 via MDM compliance policies (Android Enterprise, Intune, Workspace ONE) and block enrollment of devices below this level. Until OEM patches arrive, compensating controls are limited because the flaw is in platform code; reduce risk by restricting sideloading via Play Protect enforcement and Google Play-only install policies, auditing installed apps with the BIND_ACCESSIBILITY_SERVICE or activity-launching capabilities, and on managed devices disabling 'Install unknown apps' - note these reduce but do not eliminate exposure from a malicious app already permitted to run.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210011
GHSA-cr9g-295j-fq2w