Skip to main content

Android EUVDEUVD-2026-33811

| CVE-2026-28577 HIGH
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-06-01 google_android GHSA-2cvw-44hj-3wxw
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:27 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from a tapjacking/overlay weakness in the addWindow function of WindowManagerService.java. A locally-installed malicious app holding low privileges can draw deceptive overlays to hijack user taps and gain elevated permissions without requiring further user interaction. No public exploit identified at time of analysis, and SSVC indicates exploitation is not currently observed, but technical impact is rated total.

Technical ContextAI

The flaw resides in WindowManagerService.java, the core Android system service that arbitrates window creation, layering, and input dispatching for every app surface on the device. The addWindow code path is responsible for validating new window requests before they are added to the display hierarchy, and the missing or insufficient check enables an attacker-controlled window to be positioned over a sensitive UI element such as a permission consent dialog. This maps to CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), the classic UI-redress / clickjacking weakness class. Although the tag set mentions XSS, the CWE and description make clear this is a native Android UI overlay (tapjacking) issue, not a web-context cross-site scripting bug.

RemediationAI

Apply the June 2026 Android Security Bulletin (Patch available per vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01) by updating affected devices to the 2026-06-01 or later Security Patch Level for the corresponding Android 14, 15, 16, and 16-qpr2 branches; OEM and carrier rollouts will determine the exact build string per device. Until the SPL is installed, compensating controls include restricting sideloading and Play Protect bypass on managed fleets, revoking the SYSTEM_ALERT_WINDOW / 'Display over other apps' permission for non-essential apps via Settings or MDM (trade-off: breaks legitimate overlay apps such as chat heads, password managers, and accessibility tools), and enabling the platform 'Hide overlays during permission requests' protection where supported (trade-off: minimal, but does not cover non-permission sensitive surfaces). Enterprise admins should also audit installed apps for the BIND_ACCESSIBILITY_SERVICE permission, which is frequently abused alongside overlay attacks.

Share

EUVD-2026-33811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy