Description
In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

In the setupLayout method of PickActivity.java, a confused‑deputy flaw permits any application to start an activity as the DocumentsUI app without the need for additional execution privileges or user interaction. This flaw allows an attacker to execute arbitrary code with the higher permissions granted to the DocumentsUI context, effectively enabling a local escalation of privilege. The weakness is classified as CWE‑441: Confused Deputy.

Affected Systems

The vulnerability affects Android operating systems 14.0, 15.0, and 16.0, as identified by the associated CPE strings. All devices running these Android releases are potentially impacted until the security patch is applied.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability, however its EPSS score of less than 1 % shows a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Exploitation is local and requires no user interaction; a malicious or compromised local application can trigger the flaw and gain higher privileges. The overall risk remains elevated due to the severity and the lack of user‑side defenses, but the likelihood of active exploitation is still low.

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security patch released in the March 2026 Security Bulletin to update the affected OS versions
  • If immediate OS update is not possible, use device‑policy controls to restrict the DocumentsUI component so only system‑privileged applications can launch it
  • Revoke or uninstall any third‑party applications that may abuse PickActivity behaviour until the patch is applied

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Arbitrary Activity Launch in Android PickActivity

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-441
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:48:42.313Z

Reserved: 2025-10-15T15:38:43.799Z

Link: CVE-2026-0013

cve-icon Vulnrichment

Updated: 2026-03-02T21:26:18.127Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:29.803

Modified: 2026-03-06T04:16:03.697

Link: CVE-2026-0013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses