Skip to main content

Google Android CVE-2026-0036

| EUVDEUVD-2026-33769 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-01 google_android GHSA-3rqv-c78p-x6c8
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:26 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a tapjacking/overlay attack against the startAnimation function in StageCoordinator.java. An attacker with local code execution can elevate privileges without user interaction or additional execution rights. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.01%).

Technical ContextAI

The flaw resides in StageCoordinator.java, a component of Android's system UI/window management responsible for orchestrating window stage transitions and animations. The root cause maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the classic 'tapjacking' weakness where a malicious overlay window can intercept or mask UI interactions belonging to a more privileged window. Because startAnimation does not adequately verify that the visible UI layer is the legitimate target of input/animation events, an attacker-controlled overlay can be drawn over privileged dialogs or system surfaces during the animation window. The CPE confirms the issue affects Google's Android platform itself rather than a specific OEM skin, meaning the defect is in AOSP/system-level code shipped across Android 14, 15, 16, and 16-qpr2 devices.

RemediationAI

Apply the Android Security Bulletin 2026-06-01 patch level or later as published at https://source.android.com/docs/security/bulletin/2026/2026-06-01 - the bulletin should be consulted for the exact security patch level (SPL) string required for Android 14, 15, 16, and 16-qpr2. A specific fix version was not included in the supplied intelligence, so treat this as patch available per vendor advisory and confirm the SPL string directly from Google's bulletin before deployment. While awaiting OEM rollout, compensating controls include disabling the 'Display over other apps' / SYSTEM_ALERT_WINDOW permission for all non-essential apps in Settings, enabling Google Play Protect to detect overlay-abusing apps, and avoiding sideloaded APKs from untrusted sources; the trade-off is that some legitimate accessibility, chat-head, and screen-recording apps will lose overlay functionality. Enterprise fleets should push a managed configuration through MDM that restricts the overlay permission and blocks unknown sources.

Share

CVE-2026-0036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy