Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.
Technical ContextAI
ResourceTypes.cpp is part of the Android resource handling subsystem (libandroidfw / AAPT) used to parse compiled binary resource tables (resources.arsc) inside APKs and framework assets. The validateNode routine performs structural validation on resource chunks, and an incorrect bounds check leads to a CWE-125 out-of-bounds read - the code reads memory past the end of an attacker-controlled buffer. Because this parser executes inside privileged Android system processes (e.g., system_server or installd) when handling resource data from less-trusted callers, an OOB read can leak sensitive memory or be combined with other primitives to enable privilege escalation, consistent with the CVSS High/High/High impact triad.
RemediationAI
Apply the June 2026 Android Security Bulletin patches by updating to a security patch level of 2026-06-01 or later as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM rollout timing varies, so on managed fleets enforce a minimum patch level via MDM/Android Enterprise compliance policies. As a compensating control until the patch is installed, restrict installation of untrusted third-party APKs (disable 'Install unknown apps' for all sources) and use Play Protect plus enterprise app allow-listing, since exploitation requires local code execution via an installed app; note this does not protect against a malicious app that is already present. No vendor-released patched component version is enumerated beyond the security patch level identifier.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33792
GHSA-m48c-vf9h-rvr2