Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Improper privilege management in Android 16 and 16-QPR2 allows a local low-privileged user to override credential provider settings across user profiles by exploiting a permissions bypass in the updateProvidersWhenServiceRemoved method of CredentialManagerService.java. The CVSS vector confirms local-only exploitation (AV:L) by an authenticated low-privilege account (PR:L) with no user interaction required, yielding limited confidentiality impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The vulnerability resides in the Android Credential Manager framework, which manages the lifecycle and registration of credential providers (password managers, passkey providers, etc.) on the device. The specific method updateProvidersWhenServiceRemoved in CredentialManagerService.java fails to enforce appropriate permission boundaries when a credential provider service is removed, allowing the calling process to manipulate settings that span multiple user profiles on the same device. CWE-269 (Improper Privilege Management) identifies the root cause class: the code grants or retains broader privilege than intended during service teardown, enabling a caller to affect state in user contexts beyond their own. CPE data (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) combined with EUVD-2026-33767 scoping narrows confirmed exposure to Android 16 and Android 16-QPR2, meaning this flaw was introduced in the Android 16 release cycle.
RemediationAI
Apply the security patch distributed via the June 2026 Android Security Bulletin (2026-06-01 patch level), available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers (OEMs) should incorporate this patch level into OTA firmware updates for affected Android 16 and 16-QPR2 devices; end users should verify their device's Security Patch Level in Settings and apply any pending system updates. Enterprise administrators managing shared or multi-user Android 16 deployments should treat this update as a priority given the cross-user exposure context. No specific documented workaround is available in current intelligence. As a compensating control pending patch deployment, restricting physical access to shared devices and limiting the number of active secondary user profiles reduces the local attack surface, though this carries the operational trade-off of reduced device-sharing functionality.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33767
GHSA-m6j9-2wqp-chwc