Description
In parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a consent dialog to obtain permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in Android's parsePermissionGroup function enables an attacker to bypass the consent dialog for permissions, allowing local privilege escalation without requiring any user interaction or additional code execution. The vulnerability stems from improper restriction of permissions (CWE‑639) and can be exploited by locally running code to obtain elevated privileges over the device.

Affected Systems

Affected platforms include Google Android operating systems 14.0, 15.0, 16.0, and the 16.0 QPR2 beta releases 1 through 3, as identified by the listed CPEs.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity vulnerability, while the EPSS score of less than 1% implies a low current exploitation likelihood. Exploitation requires only local access to the device, and does not need user interaction, enabling attackers to elevate privileges and potentially access or control sensitive data. The vulnerability is not yet cataloged in CISA's KEV, suggesting it may not be widely exploited in the open.

Generated by OpenCVE AI on April 16, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security update released in the March 2026 security bulletin to patch the permission bypass in parsePermissionGroup.
  • Reboot the device after applying the update so that the permission framework reloads with the new restrictions.
  • If an update is not immediately available, limit installation of applications that request sensitive permissions or use a device management profile to block privileged permission requests until the update is applied.

Generated by OpenCVE AI on April 16, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Android Consent Dialogue Bypass Allows Local Privilege Escalation

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:* cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 03 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In parsePermissionGroup of ParsedPermissionUtils.java, there is a possible way to bypass a consent dialog to obtain permissions due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:50:04.208Z

Reserved: 2025-10-15T15:38:55.306Z

Link: CVE-2026-0020

cve-icon Vulnrichment

Updated: 2026-03-02T21:14:59.220Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:30.240

Modified: 2026-03-06T04:16:04.390

Link: CVE-2026-0020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses