Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a tapjacking/overlay weakness in the addWindow function of WindowManagerService.java. A locally-installed malicious app holding low privileges can draw deceptive overlays to hijack user taps and gain elevated permissions without requiring further user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation is not currently observed, but technical impact is rated total.
Technical ContextAI
The flaw resides in WindowManagerService.java, the core Android system service that arbitrates window creation, layering, and input dispatching for every app surface on the device. The addWindow code path is responsible for validating new window requests before they are added to the display hierarchy, and the missing or insufficient check enables an attacker-controlled window to be positioned over a sensitive UI element such as a permission consent dialog. This maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the classic UI-redress / clickjacking weakness class. Although the tag set mentions XSS, the CWE and description make clear this is a native Android UI overlay (tapjacking) issue, not a web-context cross-site scripting bug.
RemediationAI
Apply the June 2026 Android Security Bulletin (Patch available per vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01) by updating affected devices to the 2026-06-01 or later Security Patch Level for the corresponding Android 14, 15, 16, and 16-qpr2 branches; OEM and carrier rollouts will determine the exact build string per device. Until the SPL is installed, compensating controls include restricting sideloading and Play Protect bypass on managed fleets, revoking the SYSTEM_ALERT_WINDOW / 'Display over other apps' permission for non-essential apps via Settings or MDM (trade-off: breaks legitimate overlay apps such as chat heads, password managers, and accessibility tools), and enabling the platform 'Hide overlays during permission requests' protection where supported (trade-off: minimal, but does not cover non-permission sensitive surfaces). Enterprise admins should also audit installed apps for the BIND_ACCESSIBILITY_SERVICE permission, which is frequently abused alongside overlay attacks.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33811
GHSA-2cvw-44hj-3wxw