Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.
AnalysisAI
Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
O+ Connect is OPPO's cross-device connectivity application that bridges Android handsets with desktop systems, and like most such bridges it exposes a local IPC channel - in this case a named pipe - for components running at different privilege levels to communicate. The flaw maps to CWE-266 (Incorrect Privilege Assignment), which here manifests as the pipe server accepting and acting on messages without verifying the security context (PID/SID/token) of the calling process. Because privileged components trust whatever client connects to the pipe, any local process can impersonate a legitimate higher-privileged caller and request operations beyond its own rights. The affected CPE is cpe:2.3:a:oppo:o+_connect:*:*:*:*:*:*:*:*, indicating all versions are listed without a fixed upper bound in the available data.
RemediationAI
Patch available per vendor advisory - administrators should consult OPPO's notice at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2056566978633801728 and upgrade O+ Connect to the version specified there, since the exact fixed version is not enumerated in the available intelligence data. Where immediate patching is not possible, compensating controls include uninstalling or disabling O+ Connect on endpoints that do not require OPPO device pairing (eliminates the pipe entirely but breaks device-to-PC sync), restricting interactive logon on shared/multi-user systems so untrusted local users cannot reach the pipe, and using endpoint DAC/EDR rules to alert on unexpected processes opening the O+ Connect named pipe. Avoid relying on perimeter or network controls - this is a purely local attack surface and network filtering provides no protection.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30825
GHSA-447q-fg75-99r5