Skip to main content

Google Android EUVDEUVD-2025-210009

| CVE-2025-22426 HIGH
Improper Access Control (CWE-284)
2026-06-01 google_android GHSA-jmw3-jmqp-jvmp
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 03, 2026 - 14:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jun 03, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Jun 03, 2026 - 14:22 NVD
5.9 (MEDIUM) 7.8 (HIGH)
Analysis Generated
Jun 02, 2026 - 14:27 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.9
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged app to access URIs belonging to other users on the device due to a logic error across multiple functions in ComputerEngine.java. No user interaction or additional execution privileges are required, but exploitation is local and currently no public exploit is identified at time of analysis (EPSS 0.12%, SSVC exploitation: none).

Technical ContextAI

The flaw resides in ComputerEngine.java, a component of the Android PackageManager service stack responsible for resolving and querying package and content URI information across the multi-user framework. Android isolates data between users (work profiles, secondary users, guest accounts) via UID/user-ID boundaries enforced through permission checks on URI grants. The CWE-284 (Improper Access Control) classification indicates that one or more code paths in this engine fail to correctly validate cross-user URI access, breaking the user-isolation boundary that Android's multi-user model depends on. Per CPE data, the affected product is Google Android across multiple major releases.

RemediationAI

Apply the Android Security Bulletin patch level dated 2026-06-01 or later, available via the June 2026 Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM-shipped patches will roll out on the device manufacturer's schedule, so enterprise fleets should verify the security patch level (Settings → About → Android security update) reflects 2026-06-01 or newer. No vendor-released patched build version is independently confirmed in the supplied data beyond the bulletin date reference. As a compensating control until patched OEM builds reach devices, restrict sideloading via MDM (disallow installation from unknown sources) and review managed Google Play allowlists to reduce the risk of a malicious local app being present; on multi-user/work-profile deployments, minimize the use of secondary users carrying sensitive data on unpatched devices, accepting the trade-off of reduced profile separation features.

Share

EUVD-2025-210009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy