Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 14, 15, 16, and 16-qpr2 stems from the getCallingAppLabel function in CertInstaller.java rendering a misleading or insufficient UI that can hide a sensitive security dialogue. A local low-privileged app can leverage this UI spoofing weakness (CWE-451) to obtain elevated privileges without requiring any user interaction. There is no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Technical ContextAI
CertInstaller is the Android system component responsible for prompting users before installing certificates, keys, and other security-sensitive credentials into the device's trust store or keystore. The getCallingAppLabel method is used to resolve and display the calling application's name within the consent dialog so users can make an informed trust decision. The CWE-451 (User Interface Misrepresentation of Critical Information) root cause indicates that the label-resolution logic can be manipulated so the security dialog is hidden, suppressed, or visually deceptive - allowing a malicious caller to trigger sensitive trust operations without the user being able to recognize or refuse them. The affected component is bundled with the Android Open Source Project as shipped on Google Android per CPE cpe:2.3:a:google:android.
RemediationAI
Apply the Android Security Bulletin for June 2026 by installing a build with a security patch level of 2026-06-01 or later from your device OEM, per the upstream advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01; exact AOSP fix commits and patched build identifiers should be sourced from that bulletin (patch available per vendor advisory). On managed fleets, accelerate the monthly patch ring for Android 14, 15, 16, and 16-qpr2 devices and require the 2026-06-01 patch level as a compliance baseline in MDM. Where patching is delayed, restrict sideloading by enforcing 'Install unknown apps' off via policy and require Google Play Protect to be enabled so untrusted callers cannot reach CertInstaller; note this does not stop a malicious app already installed from invoking the component, so it is a partial control with the side effect of blocking legitimate enterprise sideloading workflows.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33800
GHSA-758m-99jr-7j44