Skip to main content

Android EUVDEUVD-2026-33793

| CVE-2026-0077 HIGH
Protection Mechanism Failure (CWE-693)
2026-06-01 google_android GHSA-48h4-rxpg-gg8j
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jun 03, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jun 03, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Jun 03, 2026 - 14:22 NVD
5.9 (MEDIUM) 7.8 (HIGH)
Analysis Generated
Jun 02, 2026 - 14:29 vuln.today
CVSS changed
Jun 02, 2026 - 14:22 NVD
5.9 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.9
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 16-qpr2 stems from a logic error in ActivityRecord.java's resumeConfigurationDispatch routine that permits unauthorized background activity launches (BAL bypass). A local attacker with low privileges can elevate to higher privileges without any user interaction, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating very low near-term exploitation probability.

Technical ContextAI

The flaw resides in ActivityRecord.java, a core component of Android's Activity Manager that tracks the state and lifecycle of activities within the framework. The resumeConfigurationDispatch path is invoked during configuration changes (orientation, locale, density) and contains a logic error that fails to enforce Background Activity Launch (BAL) restrictions - a security control introduced in Android 10+ to prevent apps from arbitrarily starting activities while in the background. The CWE-693 (Protection Mechanism Failure) classification confirms this is not a memory-corruption issue but rather a bypass of an existing security control, allowing an untrusted app to launch privileged activities or hijack the foreground in a way that should normally be blocked.

RemediationAI

Apply the Android security patch level dated 2026-06-01 or later as documented in the Google Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; on Pixel devices this arrives via the June 2026 OTA, while OEM devices depend on each vendor's downstream rollout. Patch available per vendor advisory - no independently confirmed standalone fix version beyond the monthly bulletin reference was provided in the available data. As compensating controls until the patch lands, restrict sideloading via MDM 'install unknown apps' policies, enforce Google Play Protect, and on managed fleets disable installation of non-Play-vetted apps; these reduce the attack surface (a local app is required) at the cost of blocking legitimate enterprise sideload workflows. Generic 'restrict background activity' user settings are not a reliable mitigation because the flaw bypasses the very BAL control that enforces them.

Share

EUVD-2026-33793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy