Description
In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in several functions of WindowState.java where a crafted overlay or tapjacking attack can mislead a user into accepting a permission. The attack does not require any user interaction beyond the deceptive overlay, meaning an attacker can elevate local privileges without explicit cooperation. The consequence is that the victim can gain higher privilege on the device, potentially accessing sensitive data or modifying system configurations.

Affected Systems

This flaw affects the Android operating system distributed by Google. No specific version identifiers are listed in the data, so any Android release that incorporates the affected functions of WindowState.java is potentially vulnerable.

Risk and Exploitability

The EPSS score of <1% and its absence from the CISA KEV catalog indicate no confirmed public exploitation yet. However, the flaw carries high risk due to its local privilege escalation impact and the lack of user interaction needed. The likely attack vector is an overlay or tapjacking GUI that traps a user or activates a permission dialog through deceptive means, exploiting how the system handles permission prompts.

Generated by OpenCVE AI on June 2, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch from Google to fix the WindowState overlay handling bug.
  • If a patch is not immediately available, restrict or revoke overlay permissions for applications until the fix is applied.
  • Monitor for and log any anomalous permission requests or overlay usage that could signal an ongoing attack.

Generated by OpenCVE AI on June 2, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Tapjacking Exploit Enables Local Privilege Escalation on Android
Weaknesses CWE-1181

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Tapjacking Exploit Enables Local Privilege Escalation on Android
Weaknesses CWE-1181

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T12:32:18.695Z

Reserved: 2025-10-15T15:40:39.686Z

Link: CVE-2026-0061

cve-icon Vulnrichment

Updated: 2026-06-02T12:31:49.215Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:21.170

Modified: 2026-06-02T14:16:41.843

Link: CVE-2026-0061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses