Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 14 through 16-qpr2 stems from misleading UI rendering in KeyChainActivity's getApplicationLabel function, which can deceive users into granting certificate access to a malicious application. SSVC indicates no observed exploitation and the attack is not automatable, but technical impact is rated total, and no public exploit was identified at time of analysis.
Technical ContextAI
The flaw resides in getApplicationLabel within KeyChainActivity.java, the system component that mediates user consent for apps requesting access to credentials stored in Android's KeyChain (typically client certificates and private keys used for VPN, Wi-Fi EAP, or enterprise authentication). The root cause maps to CWE-451 (User Interface Misrepresentation of Critical Information): the label shown in the consent prompt is sourced in a way that allows a malicious app to present a misleading or insufficient identifier, so the user sees a name that does not accurately represent the requesting app. The affected CPE is cpe:2.3:a:google:android with EUVD-tracked versions Android 14, 15, 16, and 16-qpr2.
RemediationAI
Apply the Android security patch level dated 2026-06-01 or later as documented in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); exact AOSP build identifiers are not enumerated in the provided data, so confirm the patched build for your device fleet with the OEM. No vendor-released fix version was independently provided beyond the bulletin reference, so treat this as patch available per vendor advisory. As compensating controls until devices receive the OTA, restrict installation of untrusted apps through MDM (disable sideloading and unknown sources), instruct users to scrutinize app names and icons in KeyChain consent prompts, and on managed devices avoid provisioning sensitive client certificates (VPN/EAP) onto unpatched builds - the trade-off is reduced functionality for enterprise authentication on those endpoints.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33804
GHSA-cqcr-4cr7-x5jj