Skip to main content

Android CVE-2026-0094

| EUVDEUVD-2026-33804 HIGH
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-06-01 google_android GHSA-cqcr-4cr7-x5jj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:27 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Android 14 through 16-qpr2 stems from misleading UI rendering in KeyChainActivity's getApplicationLabel function, which can deceive users into granting certificate access to a malicious application. SSVC indicates no observed exploitation and the attack is not automatable, but technical impact is rated total, and no public exploit was identified at time of analysis.

Technical ContextAI

The flaw resides in getApplicationLabel within KeyChainActivity.java, the system component that mediates user consent for apps requesting access to credentials stored in Android's KeyChain (typically client certificates and private keys used for VPN, Wi-Fi EAP, or enterprise authentication). The root cause maps to CWE-451 (User Interface Misrepresentation of Critical Information): the label shown in the consent prompt is sourced in a way that allows a malicious app to present a misleading or insufficient identifier, so the user sees a name that does not accurately represent the requesting app. The affected CPE is cpe:2.3:a:google:android with EUVD-tracked versions Android 14, 15, 16, and 16-qpr2.

RemediationAI

Apply the Android security patch level dated 2026-06-01 or later as documented in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); exact AOSP build identifiers are not enumerated in the provided data, so confirm the patched build for your device fleet with the OEM. No vendor-released fix version was independently provided beyond the bulletin reference, so treat this as patch available per vendor advisory. As compensating controls until devices receive the OTA, restrict installation of untrusted apps through MDM (disable sideloading and unknown sources), instruct users to scrutinize app names and icons in KeyChain consent prompts, and on managed devices avoid provisioning sensitive client certificates (VPN/EAP) onto unpatched builds - the trade-off is reduced functionality for enterprise authentication on those endpoints.

Share

CVE-2026-0094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy