Skip to main content

Google Android CVE-2026-0093

| EUVDEUVD-2026-33803 HIGH
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-01 google_android GHSA-x52h-cw59-46x3
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:29 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a misleading UI caused by UI obfuscation across multiple components, enabling a low-privileged local app to elevate privileges without user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation status is 'none' despite a total technical impact rating.

Technical ContextAI

The root cause maps to CWE-451 (User Interface (UI) Misrepresentation of Critical Information), a class of weakness where the UI presents information in a deceptive way - through overlays, obfuscation, spoofed prompts, or hidden context - causing a user (or the operating system acting on the user's behalf) to authorize an action they did not intend. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* identifies the Android platform itself rather than a specific app, and Google's bulletin describes the issue as residing 'in multiple locations,' implying several Android framework or system UI components share this UI-obfuscation pattern. Because the CVSS vector specifies UI:N (no user interaction), the misrepresentation likely allows a local app to spoof system-level prompts or consent dialogs in a way that the system, rather than the user, is tricked into granting elevated privileges.

RemediationAI

Patch available per vendor advisory - apply the June 2026 Android Security Bulletin update by ensuring devices reach the 2026-06-01 (or later) security patch level as published at https://source.android.com/docs/security/bulletin/2026/2026-06-01; exact framework versions per affected branch (14, 15, 16, 16-qpr2) are enumerated in that bulletin. Where OEM patches lag, compensating controls include restricting sideloading via Play Protect and MDM policies, disallowing installation from unknown sources, requiring Work Profile separation for untrusted apps, and using MDM to enforce minimum patch level on managed devices (trade-off: blocks otherwise functional devices from accessing corporate resources). Disabling apps' ability to draw overlays (Settings → Apps → Special access → Display over other apps) reduces the attack surface for UI-spoofing classes of bug at the cost of breaking legitimate floating-window features such as chat heads and accessibility tools.

Share

CVE-2026-0093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy