Description
In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local In-Account Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A confused deputy flaw in Android allows local users to elevate their privileges without needing to execute arbitrary code or gain additional user interaction. This weakness can enable an attacker to gain higher‑level permissions, potentially bypassing device security controls. The vulnerability is classified as CWE‑441.

Affected Systems

The flaw affects devices running Google Android version 16.0.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity, but the EPSS score of less than 1 % suggests a low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. Exploitation requires local access and does not need user interaction, implying that any local user could potentially trigger the privilege escalation if the device remains unpatched.

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android 16.0 security update that addresses the privilege‑escalation flaw
  • If an update is not yet available, restrict services or applications that hold elevated permissions until an official patch is released
  • Continuously monitor Google’s Android security bulletins for new advisories or additional mitigations

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Confused Deputy Privilege Escalation in Android

Tue, 03 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-441
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-03T04:56:52.725Z

Reserved: 2025-10-15T15:38:35.601Z

Link: CVE-2026-0008

cve-icon Vulnrichment

Updated: 2026-03-02T21:29:32.939Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T19:16:29.360

Modified: 2026-03-03T13:20:00.050

Link: CVE-2026-0008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses