The vulnerability stems from improper input validation in the loadDescription method of DeviceAdminInfo.java, which can cause information from a persistent package to be handled incorrectly. This flaw allows an attacker with local access to elevate privileges on the affected device without needing to execute additional code. The weakness is classified as CWE‑269, referring to improper privilege management. The consequence is a full compromise of the device’s security model, granting the attacker the same rights as the device’s root or system processes, and providing potential for further malicious activity.

Android devices running any of the following versions are affected: Android 14.0, Android 15.0, Android 16.0, and the Android 16.0 QPR2 beta releases (1, 2, and 3). These are identified by the provided CPE strings and correspond to all modern Android builds in the listed series.

The CVSS score of 9.8 signals a critical security impact. The EPSS score of less than 1% indicates that real‑world exploitation is considered low at present, though the flaw remains available. The vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw locally; no additional privileges or remote access are required, and no user interaction is necessary, making the attack vector essentially local device access.