Skip to main content

Google Android CVE-2026-0056

| EUVDEUVD-2026-33783 LOW
Classic Buffer Overflow (CWE-120)
2026-06-01 google_android GHSA-4h62-c3r7-24p8
3.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.3 LOW
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 02, 2026 - 00:27 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
3.3 (LOW)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Technical ContextAI

The vulnerability resides in ResourceTypes.cpp, a core Android framework component written in C++ responsible for parsing binary XML and resource table data used by applications at runtime. The setTo function performs an incorrect bounds check (CWE-120 - Buffer Copy without Checking Size of Input) before executing a read operation, allowing it to access memory beyond the intended buffer boundary. CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms this is an Android platform-level issue rather than an OEM-specific component. CWE-120 is a classic root cause in legacy C/C++ memory operations where size validation is inadequate prior to memory access; in this case the read-only nature of the overrun constrains impact to information disclosure rather than code execution.

RemediationAI

Apply the security patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM device manufacturers will distribute these patches through their standard monthly update channels; users should verify their device's security patch level reflects the 2026-06-01 patch level or later once their OEM or carrier publishes the update. The exact patched build fingerprint is not independently confirmed beyond the bulletin reference - validate the fix by checking the security patch level in device settings post-update. As a compensating control while awaiting OEM distribution, restrict installation of applications from untrusted sources, since exploitation requires a locally installed app running with at least standard user privileges; disabling unknown app installation removes a key delivery path without significant usability trade-offs.

Share

CVE-2026-0056 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy