Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a tapjacking/overlay attack against the startAnimation function in StageCoordinator.java. An attacker with local code execution can elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.01%).
Technical ContextAI
The flaw resides in StageCoordinator.java, a component of Android's system UI/window management responsible for orchestrating window stage transitions and animations. The root cause maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the classic 'tapjacking' weakness where a malicious overlay window can intercept or mask UI interactions belonging to a more privileged window. Because startAnimation does not adequately verify that the visible UI layer is the legitimate target of input/animation events, an attacker-controlled overlay can be drawn over privileged dialogs or system surfaces during the animation window. The CPE confirms the issue affects Google's Android platform itself rather than a specific OEM skin, meaning the defect is in AOSP/system-level code shipped across Android 14, 15, 16, and 16-qpr2 devices.
RemediationAI
Apply the Android Security Bulletin 2026-06-01 patch level or later as published at https://source.android.com/docs/security/bulletin/2026/2026-06-01 - the bulletin should be consulted for the exact security patch level (SPL) string required for Android 14, 15, 16, and 16-qpr2. A specific fix version was not included in the supplied intelligence, so treat this as patch available per vendor advisory and confirm the SPL string directly from Google's bulletin before deployment. While awaiting OEM rollout, compensating controls include disabling the 'Display over other apps' / SYSTEM_ALERT_WINDOW permission for all non-essential apps in Settings, enabling Google Play Protect to detect overlay-abusing apps, and avoiding sideloaded APKs from untrusted sources; the trade-off is that some legitimate accessibility, chat-head, and screen-recording apps will lose overlay functionality. Enterprise fleets should push a managed configuration through MDM that restricts the overlay permission and blocks unknown sources.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33769
GHSA-3rqv-c78p-x6c8