Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) allows a low-privileged local app to launch an arbitrary activity from the background by abusing a logic error in HostEmulationManager.onNullBinding(). Exploitation requires user interaction but no extra execution privileges, and no public exploit has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already have code execution on the device as an installed third-party application with NFC/HCE service registration capability (PR:L - local low privilege). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high local impact but requires an attacker-controlled app already running on the device, with low privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user installs a seemingly benign app from a third-party store or a sideloaded APK; the app registers an NFC HCE service and waits in the background. When the user interacts with the app (e.g., taps a notification or button), the malicious service triggers the onNullBinding logic flaw to launch a phishing or overlay activity from the background, capturing credentials or escalating to higher-privileged components. … |
| Remediation | Apply the Android security patch level 2026-06-01 or later as published in the Android Security Bulletin (https://source.android.com/docs/security/bulletin/2026/2026-06-01); OEM-released builds incorporating this patch level are the authoritative fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Catalog all Android 14, 15, 16, and 16-qpr2 devices across enterprise and BYOD infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-273 – Improper Check for Dropped Privileges
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33809
GHSA-g5w2-p7g6-9x7g