Skip to main content

Google

13978 CVEs vendor

Monthly

CVE-2026-0124 HIGH This Week

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0123 HIGH This Week

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0122 HIGH This Week

Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.

RCE Memory Corruption Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0120 CRITICAL Act Now

Modem has a fifth OOB write enabling remote privilege escalation.

RCE Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0119 MEDIUM This Month

An out-of-bounds write vulnerability in Android's USIM registration component allows an attacker with physical access to escalate privileges without requiring additional permissions or user interaction. The memory corruption flaw in usim_SendMCCMNCIndMsg could enable complete compromise of affected devices. No patch is currently available for this vulnerability.

Memory Corruption Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-0118 HIGH This Week

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0117 HIGH This Week

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0116 CRITICAL Act Now

Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.

RCE Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0114 CRITICAL Act Now

Modem has a fourth OOB write due to incorrect bounds check.

RCE Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0113 CRITICAL Act Now

Modem has a third OOB write in cell broadcast utilities.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0112 HIGH This Week

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Use After Free Privilege Escalation Race Condition Android Google
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-0111 CRITICAL Act Now

Modem OOB write in cell broadcast utilities enabling privilege escalation.

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0110 CRITICAL Act Now

Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling.

Memory Corruption Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0109 HIGH This Week

Android versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Denial Of Service Android Google
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0107 HIGH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-36920 HIGH This Week

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD VulDB
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-3845 HIGH This Week

Firefox for Android versions prior to 148.0.2 contain a heap buffer overflow in the audio/video playback component that allows remote code execution, information disclosure, and denial of service through a malicious media file requiring user interaction. The vulnerability affects all Firefox for Android users and currently lacks a publicly available patch. An attacker can achieve complete system compromise by crafting a specially crafted video or audio file that triggers the buffer overflow when played.

Buffer Overflow Mozilla Heap Overflow Google
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21791 LOW Monitor

HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL [CVSS 3.3 LOW]

Information Disclosure Google
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-69279 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-69278 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61616 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61615 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61614 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61613 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-61612 HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-2830 MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection Google RCE
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2589 MEDIUM This Month

animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28395 npm MEDIUM PATCH This Month

OpenClaw Chrome extension relay server versions prior to 2026.2.12 improperly bind to all network interfaces when wildcard cdpUrl values are configured, enabling remote attackers to discover service endpoints and port information. An attacker can exploit this exposure to conduct denial-of-service attacks and brute-force attempts against the relay token authentication mechanism without requiring local access.

Google Information Disclosure Chrome
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-30798 HIGH POC This Week

Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV).

Rustdesk Microsoft Google Apple Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-30797 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Google Apple Information Disclosure Microsoft Android +2
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-30795 HIGH This Week

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Apple Information Disclosure Microsoft Google Android +2
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-30794 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Apple Information Disclosure Microsoft Google Rustdesk
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2026-30793 CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

CSRF Privilege Escalation Authentication Bypass Google Apple +4
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-30792 HIGH This Week

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Apple Information Disclosure Microsoft Google Rustdesk
NVD VulDB
CVSS 4.0
8.3
EPSS
0.1%
CVE-2026-30789 MEDIUM This Month

Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).

Authentication Bypass Google Microsoft Apple Rustdesk
NVD VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-30783 MEDIUM This Month

Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.

Information Disclosure Google Apple Microsoft Rustdesk
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-30791 HIGH This Week

RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.

Microsoft Apple Google Information Disclosure Rustdesk +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68467 npm LOW PATCH Monitor

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

Node.js Google Information Disclosure Chrome
NVD GitHub VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-3545 CRITICAL PATCH Act Now

Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-3544 HIGH PATCH This Week

Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.

Google Buffer Overflow Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3543 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3542 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3541 HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3540 HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3539 HIGH PATCH This Week

Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3538 HIGH PATCH This Week

Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.

Integer Overflow Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3537 HIGH PATCH This Week

Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.

Android Chrome Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3536 HIGH PATCH This Week

Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.

Integer Overflow Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23233 HIGH POC PATCH This Week

F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.

Linux Google Buffer Overflow Memory Corruption Linux Kernel +3
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-3136 CRITICAL Act Now

Improper authorization in Google Cloud Build GitHub Trigger allowing unauthenticated build execution. EPSS 0.19%.

Google Github Cloud Build
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-3465 LOW Monitor

A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected by this vulnerability is an unknown functionality of the component JSON Data Point Handler. [CVSS 3.1 LOW]

Denial Of Service Google
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-0047 HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0038 HIGH PATCH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0037 HIGH PATCH This Week

Local privilege escalation in Android's ffa.c component allows unauthenticated attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability stems from a logic error in multiple functions and requires only local access to exploit. A patch is available to address this high-severity flaw.

Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0035 HIGH This Week

An Android MediaProvider logic error allows local applications to obtain unauthorized read and write access to arbitrary files, enabling privilege escalation without requiring additional permissions or user interaction. This vulnerability affects the createRequest function and permits apps to manipulate file access controls beyond their intended scope. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0034 HIGH This Week

Improper input validation in Android's ManagedServices notification policy handler allows local attackers to escalate privileges without requiring additional permissions or user interaction. An attacker can exploit this flaw to desynchronize notification policies and gain elevated system privileges on the affected device. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0032 HIGH PATCH This Week

A logic error in Android's mem_protect.c enables local attackers to write out-of-bounds memory and escalate privileges without requiring additional permissions or user interaction. This vulnerability affects Android devices and can be exploited by any local user to gain elevated system privileges. A patch is available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0031 HIGH PATCH This Week

Local privilege escalation in Android's mem_protect.c results from integer overflow conditions that enable out-of-bounds memory writes, allowing unauthenticated local attackers to gain elevated system privileges without user interaction. The vulnerability affects multiple functions within the memory protection component and is exploitable by any process on the affected device. A patch is available to address this high-severity issue.

Integer Overflow Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0030 HIGH PATCH This Week

Local privilege escalation in Android's mem_protect.c allows unprivileged attackers to achieve full system access through an out-of-bounds write caused by insufficient bounds validation. The vulnerability requires no user interaction and can be exploited immediately upon device compromise by any local process.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0029 HIGH PATCH This Week

Local privilege escalation in Android's pKVM hypervisor initialization allows unprivileged attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability stems from a logic error in the __pkvm_init_vm function that fails to properly validate memory operations during VM setup. A patch is available to address this high-severity flaw affecting Android devices.

Memory Corruption Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0028 HIGH PATCH This Week

Local privilege escalation in Android's __pkvm_host_share_guest function allows unprivileged attackers to achieve kernel-level code execution through integer overflow-induced out-of-bounds memory writes. The vulnerability requires no user interaction and can be exploited directly from any local context on affected devices. A patch is available to address this high-severity flaw.

Integer Overflow Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0027 MEDIUM PATCH This Month

The ARM SMMU v3 driver in Android contains a use-after-free vulnerability in the smmu_detach_dev function that could allow a local privileged attacker to execute arbitrary code with system privileges. An attacker with high-level system access can trigger an out-of-bounds write to escalate privileges without requiring user interaction. A patch is available to address this issue.

Use After Free Privilege Escalation Android Google
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-0026 HIGH This Week

Local privilege escalation in Android's PermissionManagerServiceImpl allows an attacker to override system permissions through a logic error in the removePermission function. An unprivileged local attacker can exploit this vulnerability with user interaction to gain elevated privileges. No patch is currently available and exploitation requires physical or local access to the device.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0025 HIGH This Week

Unauthorized information disclosure in Android's Notification.java hasImage method allows local attackers to bypass permission checks and access sensitive data across user accounts without requiring elevated privileges or user interaction. This permissions bypass can lead to local privilege escalation on affected Android devices. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0024 MEDIUM This Month

MediaProvider on Android lacks proper permission validation in the isRedactionNeededForOpenViaContentResolver function, allowing local attackers to infer the precise locations of media files without requiring special privileges or user interaction. This information disclosure vulnerability affects any application with local access to the device, and while the CVSS score is moderate, no patch is currently available.

Information Disclosure Android Google
NVD
CVSS 3.1
4.0
EPSS
0.0%
CVE-2026-0023 HIGH This Week

Improper permission validation in Android's PackageInstallerService allows a local app to modify its own package ownership without requiring elevated privileges, enabling privilege escalation. An attacker with a malicious app installed on the device can exploit this flaw without user interaction to gain unauthorized access to system resources. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0021 HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0020 HIGH This Week

Android versions up to 14.0 is affected by authorization bypass through user-controlled key (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0017 HIGH This Week

Biometric authentication bypass in Android's BiometricService allows local attackers to enable fingerprint unlock through a logic error, resulting in privilege escalation without requiring user interaction or special permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-0015 MEDIUM This Month

AppOpsService.java in Android contains insufficient input validation that permits local attackers to trigger persistent denial of service without requiring elevated privileges or user interaction. An attacker can exploit multiple code paths to repeatedly crash or disable the service, degrading system functionality for legitimate users. No patch is currently available for this vulnerability.

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0014 MEDIUM This Month

Local denial of service in Android's AppOpsService allows unauthenticated attackers to trigger persistent system crashes through improper input validation in the isPackageNullOrSystem function. The vulnerability requires only local access with no special privileges or user interaction, making any app on an affected device a potential attack vector. No patch is currently available.

Denial Of Service Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0013 HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0012 MEDIUM This Month

Contact information exposure in Android's notification system allows local attackers to extract sensitive user data through a logic error in the setHideSensitive function, requiring no special privileges or user interaction. The vulnerability affects the ExpandableNotificationRow component where contact names can be inadvertently disclosed despite intended privacy protections. No patch is currently available for this medium-severity flaw.

Information Disclosure Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-0011 HIGH This Week

Local privilege escalation in Android's Settings.java enableSystemPackageLPw function allows unauthenticated local attackers to manipulate location access controls through a logic error, requiring no user interaction. An attacker with local access can exploit this vulnerability to gain elevated privileges and bypass location permission enforcement. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0010 HIGH This Week

Local privilege escalation in Android's DRM manager service allows unprivileged processes to achieve system-level access through an out-of-bounds memory write in the IDrmManagerService transaction handler. The vulnerability requires no user interaction and can be exploited immediately upon execution, making it a direct path to elevated privileges on affected Android devices. No patch is currently available.

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0008 HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-0007 HIGH This Week

Android versions up to 14.0 is affected by improper restriction of rendered ui layers or frames (CVSS 8.6).

Privilege Escalation Android Google
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-0006 CRITICAL Act Now

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

RCE Buffer Overflow Android Google
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-0005 MEDIUM This Month

App pinning bypass in Android's KeyguardServiceDelegate allows unauthenticated local attackers to interact with restricted applications without the lock screen knowledge factor (LSKF) due to insufficient permission validation. The vulnerability enables limited information disclosure through unauthorized app access with no additional privileges or user interaction required. No patch is currently available.

Information Disclosure Android Google
NVD
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-48654 HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48653 HIGH This Week

In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48650 HIGH This Week

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

SQLi Privilege Escalation Information Disclosure Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48646 HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48645 HIGH This Week

In loadDescription of DeviceAdminInfo.java, there is a possible persistent package due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-48644 MEDIUM This Month

In multiple locations, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Denial Of Service Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-48642 MEDIUM This Month

In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Information Disclosure Android Google
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-48641 HIGH This Week

In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]

Use After Free Privilege Escalation Race Condition Android Google
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-48636 HIGH This Week

In openFile of BugreportContentProvider.java, there is a possible way to read and write unauthorized files due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Path Traversal Android Google
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-48635 HIGH This Week

In multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.7 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-48634 HIGH This Week

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.3 HIGH]

Privilege Escalation Android Google
NVD
CVSS 3.1
7.3
EPSS
0.0%
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android results from an out-of-bounds write vulnerability caused by insufficient bounds validation. A local attacker with limited privileges can exploit this flaw without user interaction to gain elevated system permissions. No patch is currently available.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Uncontrolled buffer writes in Android's EfwApTransport component allow local attackers to achieve privilege escalation without requiring user interaction or special permissions. The vulnerability stems from insufficient bounds checking in the ProcessRxRing function, enabling an attacker with local access to corrupt kernel memory and gain elevated privileges.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Unauthenticated local attackers can achieve remote code execution on Android devices through out-of-bounds memory writes that corrupt process memory. This vulnerability requires no user interaction or elevated privileges to exploit and has a CVSS score of 8.4. No patch is currently available.

RCE Memory Corruption Android +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a fifth OOB write enabling remote privilege escalation.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

An out-of-bounds write vulnerability in Android's USIM registration component allows an attacker with physical access to escalate privileges without requiring additional permissions or user interaction. The memory corruption flaw in usim_SendMCCMNCIndMsg could enable complete compromise of affected devices. No patch is currently available for this vulnerability.

Memory Corruption Privilege Escalation Android +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Oobconfig on Android contains a logic error that allows local attackers to circumvent carrier restrictions and escalate privileges without requiring additional execution capabilities or user interaction. This vulnerability enables unauthorized privilege elevation on affected devices through a straightforward exploitation path. No patch is currently available to remediate this issue.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Android's Media Framework Codec (MFC) decoder results from an out-of-bounds write vulnerability in the mfc_dec_dqbuf function due to inadequate bounds validation. An attacker with local access can exploit this defect without special privileges or user interaction to gain elevated system permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Samsung/Google MFC driver has an OOB write in mfc_core_isr.c enabling kernel-level privilege escalation on Android devices.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a fourth OOB write due to incorrect bounds check.

RCE Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem has a third OOB write in cell broadcast utilities.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Local privilege escalation on Android devices occurs through a race condition in the VPU driver's instance opening function, allowing attackers to trigger a use-after-free condition without requiring special privileges or user interaction. An unprivileged local attacker can exploit this vulnerability to gain elevated system privileges. No patch is currently available for this vulnerability.

Use After Free Privilege Escalation Race Condition +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Modem OOB write in cell broadcast utilities enabling privilege escalation.

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Samsung/Qualcomm modem has an out-of-bounds write in NR SM message handling enabling privilege escalation through crafted cellular signaling.

Memory Corruption Privilege Escalation Android +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Android versions up to - is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Denial Of Service Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

In hyp_alloc of arch/arm64/kvm/hyp/nvhe/alloc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Android Google
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Firefox for Android versions prior to 148.0.2 contain a heap buffer overflow in the audio/video playback component that allows remote code execution, information disclosure, and denial of service through a malicious media file requiring user interaction. The vulnerability affects all Firefox for Android users and currently lacks a publicly available patch. An attacker can achieve complete system compromise by crafting a specially crafted video or audio file that triggers the buffer overflow when played.

Buffer Overflow Mozilla Heap Overflow +1
NVD VulDB
EPSS 0% CVSS 3.3
LOW Monitor

HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URL [CVSS 3.3 LOW]

Information Disclosure Google
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In nr modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. [CVSS 7.5 HIGH]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.

WordPress XSS Code Injection +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure Google
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw Chrome extension relay server versions prior to 2026.2.12 improperly bind to all network interfaces when wildcard cdpUrl values are configured, enabling remote attackers to discover service endpoints and port information. An attacker can exploit this exposure to conduct denial-of-service attacks and brute-force attempts against the relay token authentication mechanism without requiring local access.

Google Information Disclosure Chrome
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC This Week

Remote denial-of-service in RustDesk Client through 1.4.5 allows network-positioned attackers to disrupt the remote-access agent by manipulating heartbeat synchronization traffic, abusing weak authenticity checks in the hbbs_http/sync.rs heartbeat loop to trigger the stop-service handler. Publicly available exploit code exists, but EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis being tracked as actively exploited (not in CISA KEV).

Rustdesk Microsoft Google +2
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Google Apple Information Disclosure +4
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Apple Information Disclosure Microsoft +4
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

Apple Information Disclosure Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.

CSRF Privilege Escalation Authentication Bypass +6
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Apple Information Disclosure Microsoft +2
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Authentication bypass in RustDesk Client through 1.4.5 across Windows, macOS, Linux, iOS, and Android allows remote attackers to replay captured session IDs and login proofs to impersonate legitimate peers without knowing the original credentials. The flaw stems from insufficient computational effort in the hash_password() routine combined with reusable session identifiers in the login proof construction, enabling capture-replay attacks against the peer authentication module. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.04% (12th percentile).

Authentication Bypass Google Microsoft +2
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Privilege escalation in RustDesk Client through version 1.4.5 on Windows, macOS, Linux, iOS, and Android allows unauthenticated remote attackers to abuse API sync and configuration management functions. The vulnerability in the rendezvous mediator and HTTP sync modules enables attackers to gain elevated privileges without user interaction. No patch is currently available for affected users.

Information Disclosure Google Apple +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

RustDesk Client through version 1.4.5 uses a broken cryptographic algorithm that allows attackers to retrieve sensitive embedded data during config import, URI scheme handling, or CLI operations across Windows, macOS, Linux, iOS, Android, and web clients. An unauthenticated remote attacker can exploit this vulnerability without user interaction to extract sensitive configuration information. No patch is currently available for this high-severity vulnerability.

Microsoft Apple Google +5
NVD VulDB
EPSS 0% CVSS 3.4
LOW PATCH Monitor

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

Node.js Google Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.

Google Buffer Overflow Chrome +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.

Chrome Google Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.

Google Chrome Red Hat +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.

Integer Overflow Chrome Google +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.

Android Chrome Google +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.

Integer Overflow Chrome Google +2
NVD
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.

Linux Google Buffer Overflow +5
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Improper authorization in Google Cloud Build GitHub Trigger allowing unauthenticated build execution. EPSS 0.19%.

Google Github Cloud Build
NVD
EPSS 0% CVSS 1.3
LOW Monitor

A vulnerability was determined in Tuya App and SDK 24.07.11 on Android. Affected by this vulnerability is an unknown functionality of the component JSON Data Point Handler. [CVSS 3.1 LOW]

Denial Of Service Google
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Android versions up to - contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in Android's ffa.c component allows unauthenticated attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability stems from a logic error in multiple functions and requires only local access to exploit. A patch is available to address this high-severity flaw.

Memory Corruption Privilege Escalation Android +1
NVD
EPSS 0% CVSS 8.4
HIGH This Week

An Android MediaProvider logic error allows local applications to obtain unauthorized read and write access to arbitrary files, enabling privilege escalation without requiring additional permissions or user interaction. This vulnerability affects the createRequest function and permits apps to manipulate file access controls beyond their intended scope. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Improper input validation in Android's ManagedServices notification policy handler allows local attackers to escalate privileges without requiring additional permissions or user interaction. An attacker can exploit this flaw to desynchronize notification policies and gain elevated system privileges on the affected device. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

A logic error in Android's mem_protect.c enables local attackers to write out-of-bounds memory and escalate privileges without requiring additional permissions or user interaction. This vulnerability affects Android devices and can be exploited by any local user to gain elevated system privileges. A patch is available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in Android's mem_protect.c results from integer overflow conditions that enable out-of-bounds memory writes, allowing unauthenticated local attackers to gain elevated system privileges without user interaction. The vulnerability affects multiple functions within the memory protection component and is exploitable by any process on the affected device. A patch is available to address this high-severity issue.

Integer Overflow Privilege Escalation Android +1
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in Android's mem_protect.c allows unprivileged attackers to achieve full system access through an out-of-bounds write caused by insufficient bounds validation. The vulnerability requires no user interaction and can be exploited immediately upon device compromise by any local process.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in Android's pKVM hypervisor initialization allows unprivileged attackers to corrupt memory and gain elevated privileges without user interaction. The vulnerability stems from a logic error in the __pkvm_init_vm function that fails to properly validate memory operations during VM setup. A patch is available to address this high-severity flaw affecting Android devices.

Memory Corruption Privilege Escalation Android +1
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Local privilege escalation in Android's __pkvm_host_share_guest function allows unprivileged attackers to achieve kernel-level code execution through integer overflow-induced out-of-bounds memory writes. The vulnerability requires no user interaction and can be exploited directly from any local context on affected devices. A patch is available to address this high-severity flaw.

Integer Overflow Privilege Escalation Android +1
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

The ARM SMMU v3 driver in Android contains a use-after-free vulnerability in the smmu_detach_dev function that could allow a local privileged attacker to execute arbitrary code with system privileges. An attacker with high-level system access can trigger an out-of-bounds write to escalate privileges without requiring user interaction. A patch is available to address this issue.

Use After Free Privilege Escalation Android +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Android's PermissionManagerServiceImpl allows an attacker to override system permissions through a logic error in the removePermission function. An unprivileged local attacker can exploit this vulnerability with user interaction to gain elevated privileges. No patch is currently available and exploitation requires physical or local access to the device.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Unauthorized information disclosure in Android's Notification.java hasImage method allows local attackers to bypass permission checks and access sensitive data across user accounts without requiring elevated privileges or user interaction. This permissions bypass can lead to local privilege escalation on affected Android devices. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

MediaProvider on Android lacks proper permission validation in the isRedactionNeededForOpenViaContentResolver function, allowing local attackers to infer the precise locations of media files without requiring special privileges or user interaction. This information disclosure vulnerability affects any application with local access to the device, and while the CVSS score is moderate, no patch is currently available.

Information Disclosure Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper permission validation in Android's PackageInstallerService allows a local app to modify its own package ownership without requiring elevated privileges, enabling privilege escalation. An attacker with a malicious app installed on the device can exploit this flaw without user interaction to gain unauthorized access to system resources. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 14.0 is affected by authorization bypass through user-controlled key (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Biometric authentication bypass in Android's BiometricService allows local attackers to enable fingerprint unlock through a logic error, resulting in privilege escalation without requiring user interaction or special permissions. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

AppOpsService.java in Android contains insufficient input validation that permits local attackers to trigger persistent denial of service without requiring elevated privileges or user interaction. An attacker can exploit multiple code paths to repeatedly crash or disable the service, degrading system functionality for legitimate users. No patch is currently available for this vulnerability.

Denial Of Service Android Google
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Local denial of service in Android's AppOpsService allows unauthenticated attackers to trigger persistent system crashes through improper input validation in the isPackageNullOrSystem function. The vulnerability requires only local access with no special privileges or user interaction, making any app on an affected device a potential attack vector. No patch is currently available.

Denial Of Service Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Contact information exposure in Android's notification system allows local attackers to extract sensitive user data through a logic error in the setHideSensitive function, requiring no special privileges or user interaction. The vulnerability affects the ExpandableNotificationRow component where contact names can be inadvertently disclosed despite intended privacy protections. No patch is currently available for this medium-severity flaw.

Information Disclosure Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Android's Settings.java enableSystemPackageLPw function allows unauthenticated local attackers to manipulate location access controls through a logic error, requiring no user interaction. An attacker with local access can exploit this vulnerability to gain elevated privileges and bypass location permission enforcement. No patch is currently available for this vulnerability.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege escalation in Android's DRM manager service allows unprivileged processes to achieve system-level access through an out-of-bounds memory write in the IDrmManagerService transaction handler. The vulnerability requires no user interaction and can be exploited immediately upon execution, making it a direct path to elevated privileges on affected Android devices. No patch is currently available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 8.4).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Android versions up to 14.0 is affected by improper restriction of rendered ui layers or frames (CVSS 8.6).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

RCE Buffer Overflow Android +1
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

App pinning bypass in Android's KeyguardServiceDelegate allows unauthenticated local attackers to interact with restricted applications without the lock screen knowledge factor (LSKF) due to insufficient permission validation. The vulnerability enables limited information disclosure through unauthorized app access with no additional privileges or user interaction required. No patch is currently available.

Information Disclosure Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In loadDataAndPostValue of multiple files, there is a possible way to obscure permission usage due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In multiple locations, there is a possible information disclosure due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

SQLi Privilege Escalation Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In loadDescription of DeviceAdminInfo.java, there is a possible persistent package due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.8 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In multiple locations, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Denial Of Service Android Google
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In jump_to_payload of payload.rs, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. [CVSS 5.5 MEDIUM]

Information Disclosure Android Google
NVD
EPSS 0% CVSS 7.0
HIGH This Week

In multiple functions of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.0 HIGH]

Use After Free Privilege Escalation Race Condition +2
NVD
EPSS 0% CVSS 8.4
HIGH This Week

In openFile of BugreportContentProvider.java, there is a possible way to read and write unauthorized files due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 8.4 HIGH]

Privilege Escalation Path Traversal Android +1
NVD
EPSS 0% CVSS 7.7
HIGH This Week

In multiple functions of TaskFragmentOrganizerController.java, there is a possible activity token leak due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.7 HIGH]

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 7.3
HIGH This Week

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. [CVSS 7.3 HIGH]

Privilege Escalation Android Google
NVD
Prev Page 24 of 156 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy