Description
In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in SettingsLib enables an application or system component to be disabled without user interaction, allowing a local attacker to elevate privilege. The flaw does not require any further execution privileges and can be triggered by simply interacting with the affected component. The impact is a loss of confidentiality, integrity and control over system services normally protected by the operating system.

Affected Systems

Google Android devices are affected. The specific Android releases that contain the vulnerability were not enumerated in the advisory, but the issue is noted in the Android 17 security bulletin.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score of less than 1% indicates a low probability of exploitation in the wild. Nevertheless, the vulnerability is listed in the Android 17 bulletin and is not part of CISA’s KEV catalog. Exploitation requires local access to the device, and no user interaction is needed, which increases the risk for any compromised machine.

Generated by OpenCVE AI on June 17, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for Android 17 that addresses the SettingsLib logic error, as referenced in the Google Android Security Bulletin.
  • If a timely update is unavailable, disable or remove any third‑party applications that may exploit SettingsLib or grant themselves elevated privileges.
  • Monitor the device for further advisories from Google and ensure that future security patches are applied promptly to eliminate the vulnerability.

Generated by OpenCVE AI on June 17, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T13:53:42.672Z

Reserved: 2025-10-15T15:38:53.935Z

Link: CVE-2026-0019

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:00:04Z

Weaknesses

No weakness.