The vulnerability resides in the WindowInfo.cpp writeToParcel function, where an attacker can craft a malicious payload that tricks a legitimate application into granting a permission through a tapjacking or overlay attack. The flaw allows elevation of local privileges without requiring the victim to execute any additional code. This is a high‑severity flaw that could let a non‑privileged user gain administrative privileges on the device, impacting confidentiality, integrity, and availability of system resources.

Google Android versions 14.0, 15.0, and 16.0 are affected. Any device running these versions of the operating system is potentially vulnerable to the exploit if it accepts the manipulated permission request.

The vulnerability is rated 7.8 on the CVSS scale, indicating a high severity. Exploit probability is very low, with an EPSS score of less than 1%. The issue is not currently listed in the CISA KEV catalog. Based on the description, the attack path likely involves a local user or an application with overlay capabilities; user interaction is not required for exploitation, meaning the attacker could trigger the payload without explicit victim action, although the exact conditions may necessitate an active session or a running application that can display overlays.