Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a misleading UI caused by UI obfuscation across multiple components, enabling a low-privileged local app to elevate privileges without user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation status is 'none' despite a total technical impact rating.
Technical ContextAI
The root cause maps to CWE-451 (User Interface (UI) Misrepresentation of Critical Information), a class of weakness where the UI presents information in a deceptive way - through overlays, obfuscation, spoofed prompts, or hidden context - causing a user (or the operating system acting on the user's behalf) to authorize an action they did not intend. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* identifies the Android platform itself rather than a specific app, and Google's bulletin describes the issue as residing 'in multiple locations,' implying several Android framework or system UI components share this UI-obfuscation pattern. Because the CVSS vector specifies UI:N (no user interaction), the misrepresentation likely allows a local app to spoof system-level prompts or consent dialogs in a way that the system, rather than the user, is tricked into granting elevated privileges.
RemediationAI
Patch available per vendor advisory - apply the June 2026 Android Security Bulletin update by ensuring devices reach the 2026-06-01 (or later) security patch level as published at https://source.android.com/docs/security/bulletin/2026/2026-06-01; exact framework versions per affected branch (14, 15, 16, 16-qpr2) are enumerated in that bulletin. Where OEM patches lag, compensating controls include restricting sideloading via Play Protect and MDM policies, disallowing installation from unknown sources, requiring Work Profile separation for untrusted apps, and using MDM to enforce minimum patch level on managed devices (trade-off: blocks otherwise functional devices from accessing corporate resources). Disabling apps' ability to draw overlays (Settings → Apps → Special access → Display over other apps) reduces the attack surface for UI-spoofing classes of bug at the cost of breaking legitimate floating-window features such as chat heads and accessibility tools.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33803
GHSA-x52h-cw59-46x3