Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 15 and 16 enables a low-privileged app to perform tapjacking due to a logic error spanning multiple code locations, with no user interaction required. The flaw, tracked as CVE-2026-0009 and disclosed in the June 2026 Android Security Bulletin, has no public exploit identified at time of analysis, but SSVC scoring deems exploitation automatable with partial technical impact. EPSS is very low (0.01%, 1st percentile), suggesting limited near-term mass exploitation pressure.
Technical ContextAI
The underlying weakness is CWE-269 (Improper Privilege Management) realized as a tapjacking primitive - a UI-overlay class of attack where a malicious application overlays or obscures security-relevant prompts (such as permission dialogs or confirmation screens) so the user unknowingly grants elevated capabilities to the attacker app. Because the defect is described as a logic error in 'multiple locations' within the Android framework (cpe:2.3:a:google:android), it likely involves missing or inconsistent overlay/obscured-touch checks (e.g., FLAG_WINDOW_IS_OBSCURED / setFilterTouchesWhenObscured semantics) in privileged UI flows. The CVSS vector AV:L/AC:L/PR:L/UI:N confirms the attack originates from an installed app with low privileges and does not need an explicit user tap on the intended target, which is consistent with a tapjacking bypass that converts an apparently benign touch into a privileged action.
RemediationAI
Apply the June 2026 Android security patch level (2026-06-01 or later) as published in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; exact downstream build numbers depend on the OEM and device model, so consult the device vendor's update channel. Where patching is delayed, compensating controls include enabling Google Play Protect to block known malicious overlays, disabling the 'Display over other apps' / SYSTEM_ALERT_WINDOW permission on untrusted apps via Settings → Apps → Special access, restricting sideloading through MDM policy (block 'Install unknown apps'), and enforcing a managed-app catalog for enterprise fleets - note the trade-off that disabling overlay permission breaks legitimate accessibility, chat-head, and screen-recording apps. No vendor-confirmed standalone workaround is documented for the underlying logic error, so patching is the durable fix.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33766
GHSA-4cr7-7jgp-q22r