Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 16-qpr2 stems from a logic error in ActivityRecord.java's resumeConfigurationDispatch routine that permits unauthorized background activity launches (BAL bypass). A local attacker with low privileges can elevate to higher privileges without any user interaction, with no public exploit identified at time of analysis and an EPSS score of 0.01% indicating very low near-term exploitation probability.
Technical ContextAI
The flaw resides in ActivityRecord.java, a core component of Android's Activity Manager that tracks the state and lifecycle of activities within the framework. The resumeConfigurationDispatch path is invoked during configuration changes (orientation, locale, density) and contains a logic error that fails to enforce Background Activity Launch (BAL) restrictions - a security control introduced in Android 10+ to prevent apps from arbitrarily starting activities while in the background. The CWE-693 (Protection Mechanism Failure) classification confirms this is not a memory-corruption issue but rather a bypass of an existing security control, allowing an untrusted app to launch privileged activities or hijack the foreground in a way that should normally be blocked.
RemediationAI
Apply the Android security patch level dated 2026-06-01 or later as documented in the Google Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01; on Pixel devices this arrives via the June 2026 OTA, while OEM devices depend on each vendor's downstream rollout. Patch available per vendor advisory - no independently confirmed standalone fix version beyond the monthly bulletin reference was provided in the available data. As compensating controls until the patch lands, restrict sideloading via MDM 'install unknown apps' policies, enforce Google Play Protect, and on managed fleets disable installation of non-Play-vetted apps; these reduce the attack surface (a local app is required) at the cost of blocking legitimate enterprise sideload workflows. Generic 'restrict background activity' user settings are not a reliable mitigation because the flaw bypasses the very BAL control that enforces them.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33793
GHSA-48h4-rxpg-gg8j