Description
In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the Android ComputerEngine.java code allows one user to access URLs that belong to another user without authentication or user interaction, representing a CWE-284: Improper Access Control weakness. This flaw enables a local attacker to elevate privileges on the same device without needing to execute additional code. The vulnerability is a pure privilege escalation, not requiring exploitation of a separate execution vector.

Affected Systems

The flaw affects Google Android devices running versions 14.0, 15.0, and 16.0—including the 16.0 QPR2 beta releases—because those builds include the vulnerable ComputerEngine.java implementation. Any Android build prior to the official security patch that addresses this logic bug is potentially vulnerable.

Risk and Exploitability

The EPSS score is < 1% and KEV does not list this vulnerability, but the impact is moderate due to local privilege escalation. Because user interaction is not required, a local attacker—such as a malicious app or compromised user—can exploit it readily. Exploitation conditions are minimal, depending only on the presence of the vulnerable component, and the CVSS score of 7.8 indicates high severity. However, the low EPSS score of < 1% suggests the exploitation probability in the wild is currently low.

Generated by OpenCVE AI on June 3, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch that corrects the ComputerEngine.java logic once it is released.
  • Restrict the permissions of applications that interact with ComputerEngine.java to the minimum required set, ensuring they cannot assume another user’s authority.
  • Implement a device‑level policy that enforces strict user isolation to prevent cross‑user URI requests, such as disabling cross‑profile access in system settings.

Generated by OpenCVE AI on June 3, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross‑User URI Access in Android ComputerEngine.java

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross‑User URI Access in Android ComputerEngine.java

Tue, 02 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross-User URI Access in ComputerEngine.java
Weaknesses CWE-862

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Cross-User URI Access in ComputerEngine.java
Weaknesses CWE-862

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-03T12:53:06.805Z

Reserved: 2025-01-06T17:45:03.361Z

Link: CVE-2025-22426

cve-icon Vulnrichment

Updated: 2026-06-02T13:40:17.059Z

cve-icon NVD

Status : Modified

Published: 2026-06-01T22:16:17.510

Modified: 2026-06-03T14:16:30.580

Link: CVE-2025-22426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:45:36Z

Weaknesses