Description
In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves improper input validation during the provisioning process. This flaw allows an attacker who has local access to an Android device to elevate privileges without executing additional code. The exploitation does not require user interaction, meaning the attacker can perform the attack directly after gaining physical or local access.

Affected Systems

Google Android. No specific affected versions are listed, indicating that any Android device containing the vulnerable provisioning components could be at risk, including recent releases available at the time of the advisory.

Risk and Exploitability

The CVSS score of 7.8 indicates medium‑high severity for this local privilege escalation vulnerability. The EPSS score of less than 1% implies a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Because user interaction is not required and the vulnerability resides in local provisioning, an attacker with physical or local access can potentially exploit it. No additional execution privileges are needed.

Generated by OpenCVE AI on June 18, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Android OS to the latest version that includes the security fix for the provisioning bypass, as described in the official Android security bulletin.
  • Ensure that all provisioning requests undergo rigorous input validation to reject malformed or unexpected data before processing, following best practices for mitigating CWE-20.
  • Review and tighten the privilege model for the provisioning component, ensuring it runs with the least privileges necessary and that only authorized users can invoke it.
  • If a vendor patch is not yet available, temporarily disable or limit external provisioning interfaces, enforcing strict authentication and authorization checks before allowing provisioning operations.

Generated by OpenCVE AI on June 18, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Android Provisioning Bypass for Local Privilege Escalation

Thu, 18 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Android Provisioning Bypass Permits Local Privilege Escalation
Weaknesses CWE-269

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Android Provisioning Bypass Permits Local Privilege Escalation
Weaknesses CWE-20
CWE-269

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-18T03:55:49.881Z

Reserved: 2025-05-22T18:12:46.994Z

Link: CVE-2025-48643

cve-icon Vulnrichment

Updated: 2026-06-17T13:51:50.273Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:30:16Z

Weaknesses
  • CWE-20

    Improper Input Validation