Skip to main content

Android CVE-2026-0076

| EUVDEUVD-2026-33792 HIGH
Out-of-bounds Read (CWE-125)
2026-06-01 google_android GHSA-m48c-vf9h-rvr2
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 02, 2026 - 16:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 02, 2026 - 16:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 02, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jun 02, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
Jun 02, 2026 - 16:22 NVD
4.7 (MEDIUM) 7.8 (HIGH)
Analysis Generated
Jun 02, 2026 - 14:29 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
4.7 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 4.7
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.

Technical ContextAI

ResourceTypes.cpp is part of the Android resource handling subsystem (libandroidfw / AAPT) used to parse compiled binary resource tables (resources.arsc) inside APKs and framework assets. The validateNode routine performs structural validation on resource chunks, and an incorrect bounds check leads to a CWE-125 out-of-bounds read - the code reads memory past the end of an attacker-controlled buffer. Because this parser executes inside privileged Android system processes (e.g., system_server or installd) when handling resource data from less-trusted callers, an OOB read can leak sensitive memory or be combined with other primitives to enable privilege escalation, consistent with the CVSS High/High/High impact triad.

RemediationAI

Apply the June 2026 Android Security Bulletin patches by updating to a security patch level of 2026-06-01 or later as documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM rollout timing varies, so on managed fleets enforce a minimum patch level via MDM/Android Enterprise compliance policies. As a compensating control until the patch is installed, restrict installation of untrusted third-party APKs (disable 'Install unknown apps' for all sources) and use Play Protect plus enterprise app allow-listing, since exploitation requires local code execution via an installed app; note this does not protect against a malicious app that is already present. No vendor-released patched component version is enumerated beyond the security patch level identifier.

Share

CVE-2026-0076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy