Skip to main content

Android EUVDEUVD-2026-33810

| CVE-2026-0100 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-06-01 google_android GHSA-cj7m-v38w-w8vq
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:28 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In Load of LoadedArsc.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Android (versions 14, 15, 16, and 16-qpr2) stems from a heap buffer overflow in the LoadedArsc.cpp resource table loader, allowing a low-privileged local process to write out of bounds and gain elevated execution privileges without user interaction. No public exploit identified at time of analysis, and SSVC scoring indicates exploitation has not been observed despite a 'total' technical impact rating. Patches are tracked in the June 2026 Android Security Bulletin.

Technical ContextAI

LoadedArsc.cpp is part of the Android Asset Manager 2 (AAPT2/libandroidfw) runtime, responsible for parsing compiled Android Resource Container (ARSC) files inside APKs. The Load() routine deserializes resource table chunks from disk into heap-backed structures, and CWE-122 (heap-based buffer overflow) here implies a missing or incorrect length check on a chunk header or string-pool offset, causing a write past an allocated buffer. Because libandroidfw is loaded into many privileged system services (e.g., system_server, package manager, install daemons), corrupting its heap from a controllable input path is a well-established route to privilege escalation on Android.

RemediationAI

Apply the June 2026 Android security patch level (2026-06-01 or later) as documented in https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM and carrier rollouts may lag the AOSP publish date, so confirm that the device's Security Patch Level under Settings actually reflects 2026-06-01+. No specific upstream commit hash or tagged libandroidfw release is provided in the input data, so administrators should rely on the bulletin's per-version patch level rather than an exact library version. As a compensating control until devices are patched, restrict installation of untrusted APKs (disable 'Install unknown apps' for all sources, enforce Play Protect, and use MDM to block sideloading) since the attack requires a local low-privileged process and crafted resource content is a likely delivery vector; the trade-off is reduced flexibility for developer and enterprise sideloading workflows.

Share

EUVD-2026-33810 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy