Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Tapjacking via the InputInterceptor component in Android's Letterbox.java enables a locally-installed malicious app to silently capture unintended permission grants on Android 14, 15, and 16, resulting in local privilege escalation with high confidentiality impact. The vulnerability requires no elevated privileges on the part of the attacking application and is reported by Google as needing no user interaction for exploitation - a claim that is in notable tension with the tapjacking mechanism described, which inherently involves intercepting user touch events. No public exploit code exists and no active exploitation has been confirmed (EPSS 0.01%, percentile 1%), but the ease of local attack (AV:L/AC:L) and breadth of affected Android versions make patch deployment a priority for enterprise and consumer device fleets.
Technical ContextAI
The vulnerable code resides in InputInterceptor inside Letterbox.java, which is part of Android's letterboxing windowing subsystem - the compatibility layer that displays apps designed for older aspect ratios inside black-bordered frames on modern devices. InputInterceptor is responsible for routing and processing touch input events within this windowed context. A tapjacking (or UI overlay) attack abuses Android's layered window system: a malicious foreground application renders a transparent or disguised overlay precisely over a system permission dialog, so the user's tap is consumed by the malicious layer and interpreted as accepting a permission the user never knowingly approved. The CWE assigned is CWE-269 (Improper Privilege Management), which captures the outcome - a privilege grant that should not have been authorized - though CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) is the more conventional classification for tapjacking root causes. This discrepancy between the assigned CWE and the attack class is worth confirming with the Android Security Team advisory. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*.
RemediationAI
Apply the June 2026 Android Security Patch Level (SPL: 2026-06-01) as distributed by Google and downstream OEM vendors; this bulletin directly addresses CVE-2026-0046. The advisory is available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. For enterprise environments managing Android fleets via MDM, prioritize patch deployment for Android 14-16 devices. An exact fixed build version number beyond the 2026-06-01 patch level is not independently confirmed from available data - verify the specific OEM build string via device manufacturer release notes. As a compensating control where patching is delayed, restricting sideloaded or unvetted application installation via MDM policy (disabling 'Install Unknown Apps' and enforcing Google Play Protect) reduces the attack surface by limiting the delivery vector for a malicious app that would exploit this flaw, though this does not remediate the underlying InputInterceptor vulnerability.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33777
GHSA-q444-x9j9-66r8