Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged shell user to execute code within the launcher process due to over-privileged shell user permissions in multiple code locations. The flaw requires no user interaction and no additional execution privileges, enabling an attacker with shell-level access to gain elevated privileges. No public exploit identified at time of analysis, and SSVC indicates no observed exploitation, though technical impact is rated total.
Technical ContextAI
The vulnerability resides in the Android launcher process - the system component responsible for the home screen and app management - where shell user accounts (typically the 'shell' UID used for ADB and developer access) hold permissions beyond what they require. This is a classic CWE-269 (Improper Privilege Management) weakness, where a process or user identity is granted capabilities that should be restricted to higher-trust contexts. The CPE entry cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers all Android variants, and the EUVD enumeration confirms the issue spans Android 14 through 16-qpr2, suggesting a long-standing over-permissive configuration rather than a regression introduced in a single release.
RemediationAI
Patch available per vendor advisory - apply the Android security patch level published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01), which addresses the over-privileged shell user condition in the launcher process. Device owners should update to the latest available OTA from their OEM that includes the 2026-06-01 (or later) security patch level; enterprise fleets should enforce minimum SPL via MDM compliance policies. As compensating controls until patches roll out, disable USB debugging (ADB) on production devices to remove the most common path to shell-level access, restrict physical device access in shared/kiosk deployments, and for MDM-managed fleets consider disabling developer options entirely via policy - note that this will block legitimate debugging workflows and field-support tooling.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33802
GHSA-q687-8858-63rc