Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 16 and 16-qpr2 allows an attacker with low-privilege code execution on the device to gain elevated privileges by exploiting an incorrect bounds check that causes a desync in persistence logic across multiple functions. Categorized as CWE-120 buffer overflow with high confidentiality, integrity, and availability impact, the flaw requires no user interaction and has no public exploit identified at time of analysis. CISA SSVC scoring indicates no observed exploitation but rates technical impact as total.
Technical ContextAI
The vulnerability is a CWE-120 classic buffer copy without checking size of input (buffer overflow) located in the Android platform's persistence-handling code paths. According to the description, multiple functions perform an incorrect bounds check that produces a desync condition in persistence state, which a local attacker can leverage to corrupt memory or state used in privilege decisions. The CPE string cpe:2.3:a:google:android scopes the issue to the Android operating system itself rather than a specific OEM layer, and the tag 'Buffer Overflow' aligns directly with the CWE root cause class.
RemediationAI
Patch available per vendor advisory: apply the Android Security Patch Level 2026-06-01 or later as published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); exact fix version/build number was not provided in the input data, so verify against the SPL string reported under Settings > About phone after update. On devices where the OEM has not yet shipped the June 2026 SPL, compensating controls include restricting sideloading by disabling 'Install unknown apps' for all sources, enforcing Google Play Protect, and using MDM policies to block installation of non-vetted applications - these reduce the likelihood that an attacker can obtain the local foothold needed to chain this LPE, at the cost of constraining user app choice and developer-mode workflows.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33813
GHSA-vvwc-gw3f-hjhm