Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Technical ContextAI
The vulnerability resides in ResourceTypes.cpp, a core Android framework component written in C++ responsible for parsing binary XML and resource table data used by applications at runtime. The setTo function performs an incorrect bounds check (CWE-120 - Buffer Copy without Checking Size of Input) before executing a read operation, allowing it to access memory beyond the intended buffer boundary. CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* confirms this is an Android platform-level issue rather than an OEM-specific component. CWE-120 is a classic root cause in legacy C/C++ memory operations where size validation is inadequate prior to memory access; in this case the read-only nature of the overrun constrains impact to information disclosure rather than code execution.
RemediationAI
Apply the security patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM device manufacturers will distribute these patches through their standard monthly update channels; users should verify their device's security patch level reflects the 2026-06-01 patch level or later once their OEM or carrier publishes the update. The exact patched build fingerprint is not independently confirmed beyond the bulletin reference - validate the fix by checking the security patch level in device settings post-update. As a compensating control while awaiting OEM distribution, restrict installation of applications from untrusted sources, since exploitation requires a locally installed app running with at least standard user privileges; disabling unknown app installation removes a key delivery path without significant usability trade-offs.
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33783
GHSA-4h62-c3r7-24p8