Skip to main content

Google Android CVE-2026-0016

| EUVDEUVD-2026-33767 LOW
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-m6j9-2wqp-chwc
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 00:23 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
3.3 (LOW)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the updateProvidersWhenServiceRemoved method of CredentialManagerService.java. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The vulnerability resides in the Android Credential Manager framework, which manages the lifecycle and registration of credential providers (password managers, passkey providers, etc.) on the device. The specific method updateProvidersWhenServiceRemoved in CredentialManagerService.java fails to enforce appropriate permission boundaries when a credential provider service is removed, allowing the calling process to manipulate settings that span multiple user profiles on the same device. CWE-269 (Improper Privilege Management) identifies the root cause class: the code grants or retains broader privilege than intended during service teardown, enabling a caller to affect state in user contexts beyond their own. CPE data (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) combined with EUVD-2026-33767 scoping narrows confirmed exposure to Android 16 and Android 16-QPR2, meaning this flaw was introduced in the Android 16 release cycle.

RemediationAI

Apply the security patch distributed via the June 2026 Android Security Bulletin (2026-06-01 patch level), available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers (OEMs) should incorporate this patch level into OTA firmware updates for affected Android 16 and 16-QPR2 devices; end users should verify their device's Security Patch Level in Settings and apply any pending system updates. Enterprise administrators managing shared or multi-user Android 16 deployments should treat this update as a priority given the cross-user exposure context. No specific documented workaround is available in current intelligence. As a compensating control pending patch deployment, restricting physical access to shared devices and limiting the number of active secondary user profiles reduces the local attack surface, though this carries the operational trade-off of reduced device-sharing functionality.

Share

CVE-2026-0016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy