Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android versions 14, 15, 16, and 16-qpr2 allows a malicious app to reset user-selected permission choices by bypassing the permission enforcement logic (CWE-693, Protection Mechanism Failure). The flaw requires no user interaction and only low privileges already available to any installed app, but at present there is no public exploit identified at time of analysis and EPSS rates real-world exploitation probability at just 0.01%.
Technical ContextAI
Android's runtime permission model is the security boundary that gates access to sensitive APIs such as location, microphone, camera, contacts, and storage. CWE-693 (Protection Mechanism Failure) indicates the bug is not a memory corruption or logic crash but a failure of the permission enforcement layer itself: the platform's permission state, which is supposed to reflect what the user explicitly granted or denied, can be reset across multiple code paths because the checks that should guard those resets are absent or circumventable. The affected component, identified via CPE cpe:2.3:a:google:android:*, is the platform itself (AOSP framework / PermissionController) rather than a single OEM build, which means downstream device vendors all inherit the issue until they pick up the June 2026 Android Security Bulletin patch.
RemediationAI
Apply the patch published in the Android Security Bulletin dated 2026-06-01 (https://source.android.com/docs/security/bulletin/2026/2026-06-01); patch available per vendor advisory, with the fix delivered through the standard monthly security patch level on Pixel and through OEM updates for third-party devices. On managed fleets, enforce a minimum SecurityPatchLevel via MDM (Android Enterprise's setRequiredPasswordComplexity / device compliance policies) so devices below the June 2026 patch level lose access to corporate resources; the trade-off is user friction on OEMs slow to ship patches. Until devices are patched, restrict sideloading by disabling 'Install unknown apps' for all sources and require apps to come from Google Play or a vetted enterprise store, since exploitation requires a malicious app already running on the device - this reduces but does not eliminate risk because Play-distributed apps have historically carried malware. Consider Google Play Protect being enabled (default on GMS devices) as a partial compensating control while patches roll out.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210016
GHSA-rh6r-gg6r-2qxc