Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Tapjacking and UI overlay exploitation in Android's WindowState.java enables local privilege escalation on Android 14, 15, 16, and 16-qpr2 without requiring any elevated permissions from the attacker. A malicious app on the device can deploy a deceptive overlay over system permission dialogs, causing the victim to unknowingly grant elevated permissions. No public exploit has been identified at time of analysis, and EPSS at 0.01% (1st percentile) indicates very low current exploitation probability, though the broad Android version coverage across actively maintained releases elevates the aggregate exposure.
Technical ContextAI
The vulnerability resides in WindowState.java, a core Android framework class responsible for managing the state and rendering of application windows, including system UI overlays and permission dialogs. CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) describes the root cause: the Android window management subsystem fails to sufficiently restrict or validate which UI layers can be rendered on top of permission prompts, enabling an attacker-controlled overlay to occlude or mimic legitimate system dialogs. This is a classic tapjacking attack primitive - an adversary-controlled app renders a transparent or misleading UI layer precisely over a permission grant button, causing a user's tap to be registered against the hidden system dialog. Affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covering Android 14, 15, 16, and 16-qpr2. The 'XSS' tag in the intelligence metadata appears to be a mis-categorization artifact; the actual vulnerability class is strictly UI redressing/overlay, not cross-site scripting.
RemediationAI
Apply the patch documented in the Android Security Bulletin for 2026-06-01 (https://source.android.com/docs/security/bulletin/2026/2026-06-01); an exact patched release version is not independently confirmed from the available input data - the patch is available per the vendor advisory but the specific fixed build number should be verified directly from the bulletin. For enterprise Android device management, prioritize pushing the June 2026 Android Security Patch Level (SPL) via MDM as soon as OEM builds are available. As a compensating control prior to patching, Mobile Device Management (MDM) policies can be used to restrict sideloaded or unapproved application installations, which limits the attack surface since exploitation requires a malicious app to be present on the device. Restricting 'Draw over other apps' (SYSTEM_ALERT_WINDOW) permission for untrusted applications via MDM policy directly constrains the overlay mechanism this vulnerability relies on, though this may break legitimate accessibility or productivity apps that depend on overlay functionality.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33786
GHSA-wf5q-537c-cmrj