Skip to main content

Google Android CVE-2026-0098

| EUVDEUVD-2026-33808 HIGH
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-06-01 google_android GHSA-mw23-v9j7-5fv7
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:30 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to bypass activity start restrictions through a confused deputy flaw in getCallingPackageName of Shared.java. No user interaction is required, and exploitation can yield high impact to confidentiality, integrity, and availability. No public exploit is identified at time of analysis, and SSVC indicates no observed exploitation in the wild.

Technical ContextAI

The flaw lies in the Android framework's Shared.java helper, specifically the getCallingPackageName routine used to identify the calling app when brokering activity launches. CWE-441 (Unintended Proxy or Intermediary, i.e. 'confused deputy') describes exactly this pattern: a privileged component performs an action on behalf of a caller while misattributing the caller's identity, allowing a low-privileged app to leverage the framework's authority to launch activities it would otherwise be blocked from launching. Affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, covering the AOSP/Google Android platform itself rather than a specific OEM build.

RemediationAI

Apply the Android Security Bulletin update dated 2026-06-01 from https://source.android.com/docs/security/bulletin/2026/2026-06-01 - ensure devices report a Security Patch Level of 2026-06-01 or later on Android 14, 15, 16, and 16-qpr2 branches; exact fixed build numbers should be taken from that bulletin since they were not enumerated in the input data. There is no documented configuration workaround for a framework-level confused-deputy bug, so compensating controls are limited: restrict installation of untrusted apps (disable 'Install unknown apps' for non-essential sources, enforce Play Protect, and require managed-app catalogs via MDM for enterprise fleets) to reduce the population of low-privileged callers that could trigger the flaw, accepting the usability trade-off of blocking sideloaded apps. For high-risk users, defer installation of newly published third-party apps until the device SPL is updated.

Share

CVE-2026-0098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy