Skip to main content

Google Android CVE-2026-0048

| EUVDEUVD-2026-33778 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-qgpp-r4w5-rgmm
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 17:28 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
6.8 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-QPR2) stems from a tapjacking/overlay flaw in the hide() method of WindowState.java, enabling a locally installed malicious application to covertly redirect a user's permission approval to itself. An attacker who has placed an app on the device can silently overlay a transparent window atop a system permission dialog, causing the user's tap to be misinterpreted as consent for sensitive permissions the attacker's app requested. No active exploitation is confirmed (absent from CISA KEV), no public exploit code has been identified, and the EPSS score of 0.01% (1st percentile) reflects negligible observed exploitation probability at time of analysis.

Technical ContextAI

The vulnerability originates in WindowState.java within the Android window management subsystem, specifically in the hide() method responsible for managing window visibility state transitions. The flaw permits a malicious overlay window to remain positioned above a system permission dialog despite the expected hide behavior, enabling a classic tapjacking or UI-redress attack where touch events are intercepted and attributed to the wrong recipient. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms the affected component is the Android platform application layer, spanning multiple Android release branches. CWE-269 (Improper Privilege Management) identifies the root cause class: the Android permission framework fails to enforce that the visible permission dialog is the exclusive recipient of user confirmation input, allowing a privileged-but-hidden overlay to usurp the interaction. This is a well-studied attack category in Android security, previously addressed in part by the FLAG_SECURE mechanism and overlay permission restrictions, suggesting the hide() codepath represents a gap in those existing mitigations.

RemediationAI

The primary fix is applying the Android Security Patch Level (SPL) of June 1, 2026 or later, which incorporates the patch for CVE-2026-0048 as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched build identifier beyond the June 2026 SPL is not independently confirmed from available data - OEM-specific build numbers should be verified through device manufacturer advisories. As a compensating control prior to patching, disabling the 'Display over other apps' (SYSTEM_ALERT_WINDOW) permission for untrusted or sideloaded applications (Settings > Apps > Special app access > Display over other apps) directly removes the overlay capability the attack relies upon; note this will break legitimate use cases such as floating chat heads, screen readers, and assistive widgets. Additionally, restricting installation from unknown sources (disabling 'Install unknown apps') limits an attacker's ability to deploy the malicious overlay app in the first place, though this does not mitigate risk from apps already installed via sideload.

Share

CVE-2026-0048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy