Description
In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Android InputInterceptor in Letterbox.java contains a flaw that can be exploited through a tapjacking or overlay attack to trick a user into granting a permission that they did not intend to accept. This flaw allows an attacker to locally elevate privileges without requiring additional execution privileges or user interaction. The result is that the attacker can gain higher access rights on the device, potentially compromising data and functionality that should be protected by the operating system.

Affected Systems

Google Android devices are affected by this vulnerability. No specific Android OS version or build number is listed in the current data, so all installations that include the vulnerable Letterbox component should be considered at risk unless they have applied the latest security updates.

Risk and Exploitability

The absence of an EPSS score and the lack of listing in the CISA KEV catalog do not necessarily indicate low risk; the flaw enables local privilege escalation and can be triggered without user involvement. Attackers could construct an overlay interface that mimics a legitimate permission dialog, bypassing the user’s intent. Given the potential impact on device security and the lack of a public exploit reference, the risk to affected devices is significant, especially in environments where users are prone to interacting with overlay windows.

Generated by OpenCVE AI on June 1, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Android operating system to the latest security patch as released by Google in the 2026‑06 Security Bulletin.
  • If a system update is not immediately available, disable or restrict overlay permissions for the Letterbox application through Settings → Apps → Letterbox → Permissions.
  • Audit installed applications for overlay capabilities and remove or deny overlay usage for any that modify the permission flow.

Generated by OpenCVE AI on June 1, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Tapjacking Overlay Bypass Enables Local Privilege Escalation in Android Letterbox InputInterceptor
Weaknesses CWE-639
CWE-863

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T15:45:21.725Z

Reserved: 2025-10-15T15:39:38.222Z

Link: CVE-2026-0046

cve-icon Vulnrichment

Updated: 2026-06-02T15:45:17.411Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:20.293

Modified: 2026-06-02T17:16:24.600

Link: CVE-2026-0046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:00:16Z

Weaknesses