The Android InputInterceptor in Letterbox.java contains a flaw that can be exercised through a tapjacking or overlay attack. By presenting a fake permission prompt over the legitimate UI, an attacker can cause a user to grant a permission they did not intend, which the system then applies with higher privileges. The vulnerability is a classic privilege‑escalation scenario involving authorisation bypass (CWE‑269) and does not require any additional code execution or user interaction beyond the overlay.

Google Android devices that ship with the Letterbox InputInterceptor component are potentially affected. The CVE data does not specify particular Android releases or build numbers, so any installation that has not applied the relevant security update remains at risk.

The CVSS score of 6.2 categorises the issue as moderate severity, while the EPSS score of less than 1% suggests that the exploit probability is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the attack does not require user interaction and can immediately elevate local privileges, the risk to devices carrying an unpatched or misconfigured Letterbox component remains significant, especially in environments that permit overlay applications.