Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-QPR2) stems from a tapjacking/overlay flaw in the hide() method of WindowState.java, enabling a locally installed malicious application to covertly redirect a user's permission approval to itself. An attacker who has placed an app on the device can silently overlay a transparent window atop a system permission dialog, causing the user's tap to be misinterpreted as consent for sensitive permissions the attacker's app requested. No active exploitation is confirmed (absent from CISA KEV), no public exploit code has been identified, and the EPSS score of 0.01% (1st percentile) reflects negligible observed exploitation probability at time of analysis.
Technical ContextAI
The vulnerability originates in WindowState.java within the Android window management subsystem, specifically in the hide() method responsible for managing window visibility state transitions. The flaw permits a malicious overlay window to remain positioned above a system permission dialog despite the expected hide behavior, enabling a classic tapjacking or UI-redress attack where touch events are intercepted and attributed to the wrong recipient. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms the affected component is the Android platform application layer, spanning multiple Android release branches. CWE-269 (Improper Privilege Management) identifies the root cause class: the Android permission framework fails to enforce that the visible permission dialog is the exclusive recipient of user confirmation input, allowing a privileged-but-hidden overlay to usurp the interaction. This is a well-studied attack category in Android security, previously addressed in part by the FLAG_SECURE mechanism and overlay permission restrictions, suggesting the hide() codepath represents a gap in those existing mitigations.
RemediationAI
The primary fix is applying the Android Security Patch Level (SPL) of June 1, 2026 or later, which incorporates the patch for CVE-2026-0048 as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched build identifier beyond the June 2026 SPL is not independently confirmed from available data - OEM-specific build numbers should be verified through device manufacturer advisories. As a compensating control prior to patching, disabling the 'Display over other apps' (SYSTEM_ALERT_WINDOW) permission for untrusted or sideloaded applications (Settings > Apps > Special app access > Display over other apps) directly removes the overlay capability the attack relies upon; note this will break legitimate use cases such as floating chat heads, screen readers, and assistive widgets. Additionally, restricting installation from unknown sources (disabling 'Install unknown apps') limits an attacker's ability to deploy the malicious overlay app in the first place, though this does not mitigate risk from apps already installed via sideload.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33778
GHSA-qgpp-r4w5-rgmm