Skip to main content

Android CVE-2026-0087

| EUVDEUVD-2026-33799 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-01 google_android GHSA-w57c-v5jc-4hch
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 14:27 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Android 14, 15, 16, and 16-qpr2 allows a malicious app to hijack arbitrary App Links due to a logic flaw in DomainVerificationService.approvalLevelForDomainInternal. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the bug requires no user interaction and no additional execution privileges, making it attractive for chaining within malicious apps. Google addressed the issue in the June 2026 Android Security Bulletin.

Technical ContextAI

Android's DomainVerificationService is the system component that decides which installed app should automatically handle a given web URL (App Links / Digital Asset Links). The method approvalLevelForDomainInternal returns an approval tier (e.g., none, selection, verified) for a candidate package and domain pair, and the PackageManager uses that ranking to route intents. CWE-693 (Protection Mechanism Failure) fits here: the logic itself runs, but a flaw in the comparison/ranking allows an unverified or lower-tier app to be returned as the preferred handler, bypassing the verified-link protection that App Links are supposed to guarantee. The affected component is part of the Android framework (cpe:2.3:a:google:android), shipped by AOSP and OEMs across Android 14 through 16-qpr2.

RemediationAI

Apply the June 2026 Android security patch level (2026-06-01 or later) as published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; this is the vendor-released fix for the DomainVerificationService logic error. On managed fleets, push OEM updates that report security_patch >= 2026-06-01 via MDM and block enrollment of devices below that level. Until patches are deployed on all devices, compensating controls include restricting sideloading and unknown-sources installs (limits the malicious-app delivery path), requiring users to confirm the handler for sensitive links via the 'Opening links' settings rather than relying on auto-verified App Links, and instructing high-value apps (banking, SSO) to validate the originating package or use App Links with server-side nonce checks so a hijacked client-side handler cannot complete an authentication flow - trade-off is added UX friction and possible breakage of legitimate deep-link flows.

Share

CVE-2026-0087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy