Description
In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a permission bypass that allows an attacker with local access to reset the permissions users have logically granted to applications. Because the flaw is classified as CWE‑693, it exposes the user to a local privilege escalation without any need for additional execution privileges. This means a normal user of the device can, without user interaction, elevate their privileges and potentially take control of device settings and data.

Affected Systems

Android devices maintained by Google are affected. Since the advisory does not specify particular OS versions or device models, all versions that contain the vulnerable code paths should be treated as at risk until a patch is applied.

Risk and Exploitability

The vulnerability scores a CVSS of 7.8, indicating high severity, and an EPSS of less than 1%, which is a low probability of exploitation at the present moment. Because no user interaction is required, any local attacker can exploit the flaw in the same way that an attacker who has already accessed the device could. The flaw is not listed in the CISA KEV catalog, but the lack of user interaction still makes it a significant concern for devices that are in the physical possession of an adversary.

Generated by OpenCVE AI on June 2, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch referenced in the official security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01.
  • If a patch is not yet available, limit or remove the ability to change permissions for apps that may be affected by disabling related settings in the device settings menu.
  • Monitor device logs for unexpected permission changes and investigate any anomalous privilege escalation events.
  • Follow Android best practices for securing device access, such as enabling a strong device lock and restricting local physical access to the device.

Generated by OpenCVE AI on June 2, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Permission Reset Bypass on Android

Tue, 02 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Title Android Permission Reset Bypass Allowing Local Privilege Escalation
Weaknesses CWE-285
CWE-862

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Android Permission Reset Bypass Allowing Local Privilege Escalation
Weaknesses CWE-285
CWE-862

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-03T03:55:26.675Z

Reserved: 2025-05-22T18:12:46.995Z

Link: CVE-2025-48649

cve-icon Vulnrichment

Updated: 2026-06-02T13:27:35.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:18.947

Modified: 2026-06-03T14:35:05.150

Link: CVE-2025-48649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T19:30:15Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure