Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Articles & Coverage 1
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to bypass activity start restrictions through a confused deputy flaw in getCallingPackageName of Shared.java. No user interaction is required, and exploitation can yield high impact to confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation in the wild.
Technical ContextAI
The flaw lies in the Android framework's Shared.java helper, specifically the getCallingPackageName routine used to identify the calling app when brokering activity launches. CWE-441 (Unintended Proxy or Intermediary, i.e. 'confused deputy') describes exactly this pattern: a privileged component performs an action on behalf of a caller while misattributing the caller's identity, allowing a low-privileged app to leverage the framework's authority to launch activities it would otherwise be blocked from launching. Affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering the AOSP/Google Android platform itself rather than a specific OEM build.
RemediationAI
Apply the Android Security Bulletin update dated 2026-06-01 from https://source.android.com/docs/security/bulletin/2026/2026-06-01 - ensure devices report a Security Patch Level of 2026-06-01 or later on Android 14, 15, 16, and 16-qpr2 branches; exact fixed build numbers should be taken from that bulletin since they were not enumerated in the input data. There is no documented configuration workaround for a framework-level confused-deputy bug, so compensating controls are limited: restrict installation of untrusted apps (disable 'Install unknown apps' for non-essential sources, enforce Play Protect, and require managed-app catalogs via MDM for enterprise fleets) to reduce the population of low-privileged callers that could trigger the flaw, accepting the usability trade-off of blocking sideloaded apps. For high-risk users, defer installation of newly published third-party apps until the device SPL is updated.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33808
GHSA-mw23-v9j7-5fv7