Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 16 and Android 16-qpr2 allows a low-privileged app to deceive the user into forgetting a paired Bluetooth or companion device via a misleading UI in the ForgetDeviceDialogFragment. No public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none' with total technical impact. The flaw is a UI spoofing weakness (CWE-451) reachable without any user interaction beyond normal dialog acknowledgement.
Technical ContextAI
The defect lives in the getAppLabel routine of ForgetDeviceDialogFragment.java, a Settings/SystemUI component that renders the 'Forget device' confirmation dialog for paired companion devices. The CWE-451 (User Interface Misrepresentation of Critical Information) classification indicates that the label returned for the calling app is insufficiently validated or sanitized, so a malicious app can supply a deceptive application name or context string that causes the dialog to misrepresent which device or which requesting app is involved. Because the dialog is part of trusted system UI but pulls untrusted attacker-controlled strings, the user is tricked into authorizing an action against a different device than they believe. The CPE cpe:2.3:a:google:android scope confirms this is in the Android platform/AOSP layer rather than a third-party OEM addition.
RemediationAI
Apply the June 2026 Android security patch level (2026-06-01 or later) from the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM and carrier rollouts based on this bulletin are the authoritative fix. Patch available per vendor advisory; an exact AOSP tag is not enumerated in the supplied data, so confirm the build fingerprint after update. Until devices receive the patch, compensating controls are limited because the dialog is in system UI: restrict installation to vetted apps from Play (Play Protect plus Advanced Protection where available), discourage sideloading on managed fleets via MDM, and train users to verify the device name shown on a 'Forget device' prompt against the Bluetooth/Companion settings list before confirming - the trade-off is added friction for legitimate unpair flows.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33806
GHSA-7p95-c5qm-8mrx