Description
In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Android’s WindowState.java allows an attacker to overlay a concealed view that can trick a user into approving permissions. The technique, known as tapjacking or overlay attack, can be executed without the user needing to perform any explicit interaction and can elevate local privileges. The vulnerability is exposed by improper handling of overlay windows and user permissions, enabling an app to gain privileges beyond its intended scope.

Affected Systems

The issue affects Google Android devices; specific OS versions impacted are not listed in the advisory and tables, so all releases may be at risk until patched.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of less than 1% shows a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying no known public exploitation yet. The attack requires no extra execution privileges and relies on a tapjacking/overlay technique that can be performed without user interaction. Typically, any app that can display overlays poses the attack surface, allowing an attacker to raise local privileges on a device running the affected Android version.

Generated by OpenCVE AI on June 2, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android OS update once it becomes available, as it contains the fix for this vulnerability.
  • Revoke the SYSTEM_ALERT_WINDOW (overlay) permission from any installed application that does not require it, reducing the attack surface for overlay‑based exploits.
  • If the device is managed by an MDM or EMM, configure a policy that blocks or logs unknown overlay windows and enforces least‑privilege permissions for applications.

Generated by OpenCVE AI on June 2, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 02 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Android WindowState Tapjacking Allows Local Privilege Escalation

Tue, 02 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Title Tapjacking‑Induced Permission Approval Leading to Local Privilege Escalation in Android
Weaknesses CWE-602

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Tapjacking‑Induced Permission Approval Leading to Local Privilege Escalation in Android
First Time appeared Google
Google android
Weaknesses CWE-269
CWE-602
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T15:44:11.577Z

Reserved: 2025-10-15T15:39:41.132Z

Link: CVE-2026-0048

cve-icon Vulnrichment

Updated: 2026-06-02T15:44:04.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:20.393

Modified: 2026-06-02T18:46:52.070

Link: CVE-2026-0048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses