Skip to main content

Android CVE-2026-0061

| EUVDEUVD-2026-33786 MEDIUM
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-01 google_android GHSA-wf5q-537c-cmrj
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:28 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.9

DescriptionCVE.org

In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Tapjacking and UI overlay exploitation in Android's WindowState.java enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated permissions from the attacker. A malicious app on the device can deploy a deceptive overlay over system permission dialogs, causing the victim to unknowingly grant elevated permissions. No public exploit has been identified at time of analysis, and EPSS at 0.01% (1st percentile) indicates very low current exploitation probability, though the broad Android version coverage across actively maintained releases elevates the aggregate exposure.

Technical ContextAI

The vulnerability resides in WindowState.java, a core Android framework class responsible for managing the state and rendering of application windows, including system UI overlays and permission dialogs. CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) describes the root cause: the Android window management subsystem fails to sufficiently restrict or validate which UI layers can be rendered on top of permission prompts, enabling an attacker-controlled overlay to occlude or mimic legitimate system dialogs. This is a classic tapjacking attack primitive - an adversary-controlled app renders a transparent or misleading UI layer precisely over a permission grant button, causing a user's tap to be registered against the hidden system dialog. Affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covering Android 14, 15, 16, and 16-qpr2. The 'XSS' tag in the intelligence metadata appears to be a mis-categorization artifact; the actual vulnerability class is strictly UI redressing/overlay, not cross-site scripting.

RemediationAI

Apply the patch documented in the Android Security Bulletin for 2026-06-01 (https://source.android.com/docs/security/bulletin/2026/2026-06-01); an exact patched release version is not independently confirmed from the available input data - the patch is available per the vendor advisory but the specific fixed build number should be verified directly from the bulletin. For enterprise Android device management, prioritize pushing the June 2026 Android Security Patch Level (SPL) via MDM as soon as OEM builds are available. As a compensating control prior to patching, Mobile Device Management (MDM) policies can be used to restrict sideloaded or unapproved application installations, which limits the attack surface since exploitation requires a malicious app to be present on the device. Restricting 'Draw over other apps' (SYSTEM_ALERT_WINDOW) permission for untrusted applications via MDM policy directly constrains the overlay mechanism this vulnerability relies on, though this may break legitimate accessibility or productivity apps that depend on overlay functionality.

Share

CVE-2026-0061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy