The vulnerability is a missing permission check in multiple locations of the Android passkey pairing logic, allowing a third‑party application to trigger passkey entry pairing approval without authorization. This omission enables remote (proximal/adjacent) escalation of privilege, as the attacker can gain higher access rights without needing to obtain additional execution privileges or user interaction. The flaw results in unauthorized privilege escalation that could affect device data and system integrity.

The affected vendor is Google for the Android operating system. Specific product names are not enumerated, and no version information is available in the current data, so all Android devices manufactured by Google that include the affected passkey pairing functionality are considered potentially vulnerable.

The EPSS score is reported to be less than 1%, indicating a very low probability of exploitation in the wild at the time of this analysis. The vulnerability is not currently listed in the CISA KEV catalog. However, because it permits privilege escalation without user interaction, an attacker could exploit the flaw by sending a crafted passkey pairing request from a nearby device or network segment, potentially escalating privileges on the target device. The lack of a release‑time patch in the data suggests that the risk remains until an official fix is applied.