Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 14, 15, 16, and 16-qpr2 allows a malicious app to hijack arbitrary App Links due to a logic flaw in DomainVerificationService.approvalLevelForDomainInternal. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the bug requires no user interaction and no additional execution privileges, making it attractive for chaining within malicious apps. Google addressed the issue in the June 2026 Android Security Bulletin.
Technical ContextAI
Android's DomainVerificationService is the system component that decides which installed app should automatically handle a given web URL (App Links / Digital Asset Links). The method approvalLevelForDomainInternal returns an approval tier (e.g., none, selection, verified) for a candidate package and domain pair, and the PackageManager uses that ranking to route intents. CWE-693 (Protection Mechanism Failure) fits here: the logic itself runs, but a flaw in the comparison/ranking allows an unverified or lower-tier app to be returned as the preferred handler, bypassing the verified-link protection that App Links are supposed to guarantee. The affected component is part of the Android framework (cpe:2.3:a:google:android), shipped by AOSP and OEMs across Android 14 through 16-qpr2.
RemediationAI
Apply the June 2026 Android security patch level (2026-06-01 or later) as published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; this is the vendor-released fix for the DomainVerificationService logic error. On managed fleets, push OEM updates that report security_patch >= 2026-06-01 via MDM and block enrollment of devices below that level. Until patches are deployed on all devices, compensating controls include restricting sideloading and unknown-sources installs (limits the malicious-app delivery path), requiring users to confirm the handler for sensitive links via the 'Opening links' settings rather than relying on auto-verified App Links, and instructing high-value apps (banking, SSO) to validate the originating package or use App Links with server-side nonce checks so a hijacked client-side handler cannot complete an authentication flow - trade-off is added UX friction and possible breakage of legitimate deep-link flows.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33799
GHSA-w57c-v5jc-4hch