Description
In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StageCoordinator component in Android contains an oversight in its animation handling that allows a malicious overlay to intercept user interactions. An attacker can place a transparent layer over system controls and without the user noticing trigger privileged actions. This grants local privilege escalation, enabling the attacker to operate with higher privileges than the application without needing to execute arbitrary code.

Affected Systems

Google’s Android operating system is affected. No specific Android version information is provided, but any installation that includes the vulnerable StageCoordinator implementation may be at risk.

Risk and Exploitability

The vulnerability can be triggered locally and does not require user interaction, indicating a high likelihood of exploitation when an attacker can place malicious overlays on the device. The CVSS score of 7.8 and the EPSS score of less than 1% reflect a high severity but low exploitation probability. The nature of the flaw—local privilege escalation from a UI overlay—suggests a severe security impact. The issue is not listed in CISA’s KEV catalog, but the absence of a publicly known exploit does not diminish the potential danger as the attack vector is straightforward for an attacker with local device access.

Generated by OpenCVE AI on June 2, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Android to the latest security patch that addresses the StageCoordinator animation flaw.
  • Disable or limit overlay permissions for third‑party applications, particularly those that request SYSTEM_ALERT_WINDOW or similar permissions.
  • If a system update is unavailable, install a trusted overlay‑blocking app or a custom ROM that disables tap‑jacking behaviors as a temporary mitigation.

Generated by OpenCVE AI on June 2, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Tapjacking in Android StageCoordinator
Weaknesses CWE-1023
CWE-266

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T13:21:56.277Z

Reserved: 2025-10-15T15:39:22.082Z

Link: CVE-2026-0036

cve-icon Vulnrichment

Updated: 2026-06-02T13:21:53.158Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:19.517

Modified: 2026-06-02T14:16:41.523

Link: CVE-2026-0036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses