Skip to main content

Google Android EUVDEUVD-2026-33768

| CVE-2026-0018 MEDIUM
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-3xcf-hvq9-vw7c
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:23 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In multiple functions of AccessibilityManagerService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent denial of service in Google Android's AccessibilityManagerService affects Android 15, Android 16, and Android 16-qpr2, allowing a local low-privileged attacker to permanently disrupt the accessibility subsystem without user interaction. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:H) confirms low-complexity local exploitation requiring only a standard app execution context. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Technical ContextAI

AccessibilityManagerService.java is the central system service managing Android's accessibility framework, handling inter-process communication between apps and accessibility providers (e.g., TalkBack, switch access). CWE-20 (Improper Input Validation) indicates that multiple functions within this service fail to adequately sanitize or bound-check caller-supplied data, enabling a malicious or compromised app to pass crafted inputs that trigger a persistent fault state - one that survives normal recovery paths such as service restart. The affected CPE (cpe:2.3:a:google:android:*:*:*:*:*:*:*:*) spans the Android application platform layer, confirmed across Android 15, Android 16, and Android 16-qpr2 per ENISA EUVD-2026-33768.

RemediationAI

Apply the Android Security Bulletin patches for June 2026, available via OEM/carrier update channels and documented at https://source.android.com/docs/security/bulletin/2026/2026-06-01. The exact patched build version should be verified against the bulletin's patch level table for your specific device and OEM. No exact fixed version string (e.g., a tagged AOSP release) was independently confirmed from available data - the fix is attributed to the June 2026 bulletin. As a compensating control where patching is delayed, enterprise MDM policies can restrict sideloading of untrusted apps and enforce application allowlisting to prevent arbitrary local code execution, which is the prerequisite for exploitation. This control limits exposure but does not eliminate risk from malicious apps distributed via the Play Store or other trusted channels.

Share

EUVD-2026-33768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy