Skip to main content

Google Android CVE-2026-0060

| EUVDEUVD-2026-33785 MEDIUM
2026-06-01 google_android GHSA-7g73-7cr8-8qpw
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:31 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In updateState of GraphicsDriverEnableAngleAsSystemDriverController.java, there is a possible persistent dos issue due to an unusual root cause. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent local denial of service in Google Android affects the ANGLE graphics driver state management component across Android 14, 15, 16, and 16-qpr2. A low-privileged local process can trigger a persistent DoS condition via the updateState method in GraphicsDriverEnableAngleAsSystemDriverController.java without requiring any user interaction, potentially rendering the device unusable until rebooted. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.

Technical ContextAI

The vulnerability exists in GraphicsDriverEnableAngleAsSystemDriverController.java, specifically in the updateState method responsible for managing the system-level enablement state of ANGLE (Almost Native Graphics Layer Engine) as the system graphics driver on Android. ANGLE is a cross-platform graphics abstraction layer that translates OpenGL ES API calls to platform-native graphics APIs (e.g., Vulkan, Metal, Direct3D). The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covering all architectures and variants of the affected release trains. The root cause is described as 'unusual' by Google and the CWE is listed as N/A, suggesting this is likely a logic flaw, state machine error, or unhandled edge case in the driver enablement lifecycle rather than a conventional memory safety vulnerability. The persistence of the DoS - implying it survives beyond the triggering process - points to a durable system-level state corruption or a crash loop in a privileged system service.

RemediationAI

Apply the Android Security Bulletin patch for June 2026 (2026-06-01), available through OEM device update channels and the Android Open Source Project. The bulletin is accessible at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched version number was not independently confirmed from available input data - device administrators should verify patch level via Settings > About Phone > Android Security Patch Level, ensuring the device reflects the 2026-06-01 security patch level or later. For enterprise environments managing Android fleets via MDM (e.g., Android Enterprise, Microsoft Intune), enforce mandatory patch level compliance policies. As a compensating control where patching is not immediately feasible, restricting sideloading and app installation from unknown sources reduces exposure to untrusted low-privileged processes that could trigger the condition, though this does not eliminate risk from compromised legitimate apps.

Share

CVE-2026-0060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy