Description
In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the updateProvidersWhenServiceRemoved method of CredentialManagerService, a permissions bypass allows a user to override settings across other user profiles. This flaw results in local disclosure of internal information without requiring any additional execution privileges or user interaction. The weakness reflects missing or incorrect access control (CWE‑269).

Affected Systems

Affected systems include any devices running Google Android that contain the CredentialManagerService component. The vulnerability exists in unspecified Android releases that include the referenced method, as no specific version range is provided.

Risk and Exploitability

The CVSS score of 3.3 indicates a low-impact vulnerability, and the EPSS score is not disclosed. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the device; no remote or privilege escalation is needed. As the threat surface is limited to users on the same device, the overall risk remains low.

Generated by OpenCVE AI on June 2, 2026 at 04:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security update that patches the CredentialManagerService permission bypass.
  • Restrict or revoke the permission that allows cross‑user configuration changes to limit unauthorized access.
  • If no patch is available, disable or uninstall CredentialManagerService for profiles that should not share data to mitigate information disclosure.
  • Continuously monitor system logs for anomalous cross‑user configuration modifications to detect potential exploitation attempts.

Generated by OpenCVE AI on June 2, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Cross‑User Settings Override in Android CredentialManagerService

Tue, 02 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title CredentialManagerService Permissions Bypass Allowing Local Information Disclosure Across Users
Weaknesses CWE-199
CWE-284

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title CredentialManagerService Permissions Bypass Allowing Local Information Disclosure Across Users
First Time appeared Google
Google android
Weaknesses CWE-199
CWE-284
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:43:26.328Z

Reserved: 2025-10-15T15:38:48.429Z

Link: CVE-2026-0016

cve-icon Vulnrichment

Updated: 2026-06-01T23:43:18.659Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:19.303

Modified: 2026-06-02T00:16:33.283

Link: CVE-2026-0016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T04:30:36Z

Weaknesses