Skip to main content

O+ Connect EUVDEUVD-2026-30825

| CVE-2026-22069 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-05-19 OPPO GHSA-447q-fg75-99r5
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 03:45 vuln.today

DescriptionCVE.org

A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface.

AnalysisAI

Local privilege escalation in OPPO's O+ Connect application stems from missing caller identity validation on a named pipe interface (CWE-266), allowing a low-privileged local user with user interaction to escalate to higher privileges with high availability impact and scope change. The CVSS 3.1 score is 7.3 and the issue was reported by OPPO itself; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

O+ Connect is OPPO's cross-device connectivity application that bridges Android handsets with desktop systems, and like most such bridges it exposes a local IPC channel - in this case a named pipe - for components running at different privilege levels to communicate. The flaw maps to CWE-266 (Incorrect Privilege Assignment), which here manifests as the pipe server accepting and acting on messages without verifying the security context (PID/SID/token) of the calling process. Because privileged components trust whatever client connects to the pipe, any local process can impersonate a legitimate higher-privileged caller and request operations beyond its own rights. The affected CPE is cpe:2.3:a:oppo:o+_connect:*:*:*:*:*:*:*:*, indicating all versions are listed without a fixed upper bound in the available data.

RemediationAI

Patch available per vendor advisory - administrators should consult OPPO's notice at https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2056566978633801728 and upgrade O+ Connect to the version specified there, since the exact fixed version is not enumerated in the available intelligence data. Where immediate patching is not possible, compensating controls include uninstalling or disabling O+ Connect on endpoints that do not require OPPO device pairing (eliminates the pipe entirely but breaks device-to-PC sync), restricting interactive logon on shared/multi-user systems so untrusted local users cannot reach the pipe, and using endpoint DAC/EDR rules to alert on unexpected processes opening the O+ Connect named pipe. Avoid relying on perimeter or network controls - this is a purely local attack surface and network filtering provides no protection.

Share

EUVD-2026-30825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy