Description
In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the Android ComputerEngine.java code allows one user to access URLs that belong to another user without authentication or user interaction, representing a CWE-284: Improper Access Control weakness. This flaw enables a local attacker to elevate privileges on the same device without needing to execute additional code. The vulnerability is a pure privilege escalation, not requiring exploitation of a separate execution vector.

Affected Systems

The flaw affects Android devices that include the vulnerable ComputerEngine.java implementation. No specific OS version is listed, meaning any Android build containing this code prior to an official fix is potentially compromised.

Risk and Exploitability

The EPSS score is < 1% and KEV does not list this vulnerability, but the impact is moderate due to local privilege escalation. Because user interaction is not required, a local attacker—such as a malicious app or compromised user—can exploit it readily. Exploitation conditions are minimal, depending only on the presence of the vulnerable component, and the CVSS score of 5.9 indicates moderate severity. However, the low EPSS score of < 1% suggests the exploitation probability in the wild is currently low.

Generated by OpenCVE AI on June 2, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch that corrects the ComputerEngine.java logic once it is released.
  • After patch deployment, remove or disable any temporary workarounds that allow cross‑user URI access until the component is fully secure.
  • Restrict the permissions of applications that interact with ComputerEngine.java to the minimum required set, ensuring they cannot assume another user’s authority.

Generated by OpenCVE AI on June 2, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross‑User URI Access in Android ComputerEngine.java

Tue, 02 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross-User URI Access in ComputerEngine.java
Weaknesses CWE-862

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross-User URI Access in ComputerEngine.java
Weaknesses CWE-862

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T13:41:24.163Z

Reserved: 2025-01-06T17:45:03.361Z

Link: CVE-2025-22426

cve-icon Vulnrichment

Updated: 2026-06-02T13:40:17.059Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:17.510

Modified: 2026-06-02T18:57:42.203

Link: CVE-2025-22426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:00:19Z

Weaknesses