Description
In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In ResourceTypes.cpp the setTo method performs an incorrect bounds check, allowing an attacker to read data beyond the intended array limits. This read‑out‑of‑bounds condition can expose sensitive local data to an application level attacker without requiring elevated privileges or executing arbitrary code, effectively leaking information that resides in memory. The flaw is a classic example of a buffer over‑read (CWE‑120) that violates bounds checking and leads to an information disclosure.

Affected Systems

The flaw affects Google Android devices that run any operating system version prior to the vendor’s published fix. No specific version range is enumerated in the advisory, so administrators should treat all devices that have not yet applied the latest security patch as potentially vulnerable.

Risk and Exploitability

The vulnerability does not require user interaction and can be triggered by any code path that reaches the vulnerable setTo call. The CVSS score of 3.3 indicates low severity; the EPSS score is not available, and the vulnerability is not listed in CISA KEV. These factors suggest a moderate overall risk, but the potential to reveal confidential data warrants timely remediation.

Generated by OpenCVE AI on June 2, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android OS security patch that includes the fix for the ResourceTypes bounds check issue.
  • Configure the device to automatically receive OTA updates to ensure future patches are applied without manual action.
  • Continuously monitor the Android Security Bulletin for any follow‑up advisories or related vulnerabilities that may impact the system.

Generated by OpenCVE AI on June 2, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Local Information Disclosure via Bounds Check Failure in ResourceTypes.cpp

Tue, 02 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
Title Read out of bounds causing local information disclosure in Android ResourceTypes
Weaknesses CWE-119
CWE-200

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Read out of bounds causing local information disclosure in Android ResourceTypes
Weaknesses CWE-119
CWE-200

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:26:16.237Z

Reserved: 2025-10-15T15:40:31.342Z

Link: CVE-2026-0056

cve-icon Vulnrichment

Updated: 2026-06-01T23:26:07.893Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:20.883

Modified: 2026-06-02T00:16:34.830

Link: CVE-2026-0056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T04:00:13Z

Weaknesses