Description
In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StageCoordinator component in Android contains an oversight in its animation handling that allows a malicious overlay to intercept user interactions. An attacker can place a transparent layer over system controls and without the user noticing trigger privileged actions. This grants local privilege escalation, enabling the attacker to operate with higher privileges than the application without needing to execute arbitrary code.

Affected Systems

Google’s Android operating system is affected. No specific Android version information is provided, but any installation that includes the vulnerable StageCoordinator implementation may be at risk.

Risk and Exploitability

The vulnerability can be triggered locally without user interaction, allowing an attacker to overlay a transparent UI layer and elevate privileges. The EPSS score of less than 1% indicates that the probability of exploitation in the wild is very low. Nonetheless, the CVSS score of 7.8 reflects the severity of the local privilege escalation. The issue is not listed in CISA’s KEV catalog, and while no publicly disclosed exploit exists, the attack vector remains straightforward for anyone with local device access.

Generated by OpenCVE AI on June 2, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Android to the latest security patch that addresses the StageCoordinator animation flaw.
  • Disable or limit overlay permissions for third‑party applications, particularly those that request SYSTEM_ALERT_WINDOW or similar permissions.
  • If a system update is unavailable, install a trusted overlay‑blocking app or a custom ROM that disables tap‑jacking behaviors as a temporary mitigation.

Generated by OpenCVE AI on June 2, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Android StageCoordinator Tapjacking Privilege Escalation

Tue, 02 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Tapjacking in Android StageCoordinator
Weaknesses CWE-1023
CWE-266

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Tapjacking in Android StageCoordinator
Weaknesses CWE-1023
CWE-266

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-03T03:55:24.299Z

Reserved: 2025-10-15T15:39:22.082Z

Link: CVE-2026-0036

cve-icon Vulnrichment

Updated: 2026-06-02T13:21:53.158Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:19.517

Modified: 2026-06-03T14:21:52.667

Link: CVE-2026-0036

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:00:19Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames