Skip to main content

Android CVE-2026-28580

| EUVDEUVD-2026-33813 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-01 google_android GHSA-vvwc-gw3f-hjhm
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:28 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 16 and 16-qpr2 allows an attacker with low-privilege code execution on the device to gain elevated privileges by exploiting an incorrect bounds check that causes a desync in persistence logic across multiple functions. Categorized as CWE-120 buffer overflow with high confidentiality, integrity, and availability impact, the flaw requires no user interaction and has no public exploit identified at time of analysis. CISA SSVC scoring indicates no observed exploitation but rates technical impact as total.

Technical ContextAI

The vulnerability is a CWE-120 classic buffer copy without checking size of input (buffer overflow) located in the Android platform's persistence-handling code paths. According to the description, multiple functions perform an incorrect bounds check that produces a desync condition in persistence state, which a local attacker can leverage to corrupt memory or state used in privilege decisions. The CPE string cpe:2.3:a:google:android scopes the issue to the Android operating system itself rather than a specific OEM layer, and the tag 'Buffer Overflow' aligns directly with the CWE root cause class.

RemediationAI

Patch available per vendor advisory: apply the Android Security Patch Level 2026-06-01 or later as published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); exact fix version/build number was not provided in the input data, so verify against the SPL string reported under Settings > About phone after update. On devices where the OEM has not yet shipped the June 2026 SPL, compensating controls include restricting sideloading by disabling 'Install unknown apps' for all sources, enforcing Google Play Protect, and using MDM policies to block installation of non-vetted applications - these reduce the likelihood that an attacker can obtain the local foothold needed to chain this LPE, at the cost of constraining user app choice and developer-mode workflows.

Share

CVE-2026-28580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy