Description
In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in SettingsLib enables an application or system component to be disabled without user interaction, allowing a local attacker to elevate privilege. The flaw does not require any additional execution privileges and can be triggered by local code without user interaction. The impact is loss of control over system services that are normally protected by the operating system.

Affected Systems

Google Android devices are impacted. The official advisory references Android 17, but the specific version(s) that contain the flaw are not explicitly enumerated in the provided documentation. Therefore, the affected releases remain unspecified beyond the family of Android devices.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the device, and no user interaction is needed; this increases the risk for any compromised machine. The specific affected releases are not provided explicitly, so the actual risk depends on whether the device is running a vulnerable Android version.

Generated by OpenCVE AI on June 18, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update for the Android release referenced in the Google Android Security Bulletin that addresses the SettingsLib logic error.
  • If a timely update is unavailable, disable or remove any third‑party applications that may exploit SettingsLib or grant themselves elevated privileges.
  • Monitor the device for further advisories from Google and ensure that future security patches are applied promptly to eliminate the vulnerability.

Generated by OpenCVE AI on June 18, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title SettingsLib Logic Error Enables Local Privilege Escalation

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via SettingsLib Logic Error in Android
Weaknesses CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via SettingsLib Logic Error in Android
Weaknesses CWE-269
CWE-285
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-18T03:55:50.941Z

Reserved: 2025-10-15T15:38:53.935Z

Link: CVE-2026-0019

cve-icon Vulnrichment

Updated: 2026-06-17T13:53:34.190Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:00:13Z

Weaknesses
  • CWE-269

    Improper Privilege Management