Skip to main content

Google Android CVE-2026-0009

| EUVDEUVD-2026-33766 HIGH
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-4cr7-7jgp-q22r
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 03, 2026 - 16:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 03, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
Jun 03, 2026 - 16:22 NVD
6.2 (MEDIUM) 7.8 (HIGH)
Analysis Generated
Jun 02, 2026 - 14:28 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
6.2 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.2
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 15 and 16 enables a low-privileged app to perform tapjacking due to a logic error spanning multiple code locations, with no user interaction required. The flaw, tracked as CVE-2026-0009 and disclosed in the June 2026 Android Security Bulletin, has no public exploit identified at time of analysis, but SSVC scoring deems exploitation automatable with partial technical impact. EPSS is very low (0.01%, 1st percentile), suggesting limited near-term mass exploitation pressure.

Technical ContextAI

The underlying weakness is CWE-269 (Improper Privilege Management) realized as a tapjacking primitive - a UI-overlay class of attack where a malicious application overlays or obscures security-relevant prompts (such as permission dialogs or confirmation screens) so the user unknowingly grants elevated capabilities to the attacker app. Because the defect is described as a logic error in 'multiple locations' within the Android framework (cpe:2.3:a:google:android), it likely involves missing or inconsistent overlay/obscured-touch checks (e.g., FLAG_WINDOW_IS_OBSCURED / setFilterTouchesWhenObscured semantics) in privileged UI flows. The CVSS vector AV:L/AC:L/PR:L/UI:N confirms the attack originates from an installed app with low privileges and does not need an explicit user tap on the intended target, which is consistent with a tapjacking bypass that converts an apparently benign touch into a privileged action.

RemediationAI

Apply the June 2026 Android security patch level (2026-06-01 or later) as published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; exact downstream build numbers depend on the OEM and device model, so consult the device vendor's update channel. Where patching is delayed, compensating controls include enabling Google Play Protect to block known malicious overlays, disabling the 'Display over other apps' / SYSTEM_ALERT_WINDOW permission on untrusted apps via Settings → Apps → Special access, restricting sideloading through MDM policy (block 'Install unknown apps'), and enforcing a managed-app catalog for enterprise fleets - note the trade-off that disabling overlay permission breaks legitimate accessibility, chat-head, and screen-recording apps. No vendor-confirmed standalone workaround is documented for the underlying logic error, so patching is the durable fix.

Share

CVE-2026-0009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy