Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In Load of LoadedArsc.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android (versions 14, 15, 16, and 16-qpr2) stems from a heap buffer overflow in the LoadedArsc.cpp resource table loader, allowing a low-privileged local process to write out of bounds and gain elevated execution privileges without user interaction. No public exploit identified at time of analysis, and SSVC scoring indicates exploitation has not been observed despite a 'total' technical impact rating. Patches are tracked in the June 2026 Android Security Bulletin.
Technical ContextAI
LoadedArsc.cpp is part of the Android Asset Manager 2 (AAPT2/libandroidfw) runtime, responsible for parsing compiled Android Resource Container (ARSC) files inside APKs. The Load() routine deserializes resource table chunks from disk into heap-backed structures, and CWE-122 (heap-based buffer overflow) here implies a missing or incorrect length check on a chunk header or string-pool offset, causing a write past an allocated buffer. Because libandroidfw is loaded into many privileged system services (e.g., system_server, package manager, install daemons), corrupting its heap from a controllable input path is a well-established route to privilege escalation on Android.
RemediationAI
Apply the June 2026 Android security patch level (2026-06-01 or later) as documented in https://source.android.com/docs/security/bulletin/2026/2026-06-01; OEM and carrier rollouts may lag the AOSP publish date, so confirm that the device's Security Patch Level under Settings actually reflects 2026-06-01+. No specific upstream commit hash or tagged libandroidfw release is provided in the input data, so administrators should rely on the bulletin's per-version patch level rather than an exact library version. As a compensating control until devices are patched, restrict installation of untrusted APKs (disable 'Install unknown apps' for all sources, enforce Play Protect, and use MDM to block sideloading) since the attack requires a local low-privileged process and crafted resource content is a likely delivery vector; the trade-off is reduced flexibility for developer and enterprise sideloading workflows.
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33810
GHSA-cj7m-v38w-w8vq