Description
In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in Android’s SettingsLib removes an essential permission check, allowing the same user to obtain elevated privileges without needing any execution privileges. The flaw permits any local user to execute privileged actions on the device, effectively compromising the integrity and confidentiality of system data. No user interaction beyond normal device usage is required for exploitation, making the attack extremely convenient for an attacker who is already logged on.

Affected Systems

The vulnerability affects Google’s Android operating system, specifically the SettingsLib component that manages system settings. No particular Android version or build is specified in the available data, so all devices using the affected component are potentially at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 10.0, indicating maximum severity. Its EPSS score is below 1%, suggesting a low probability of widespread exploitation, yet the local nature of the attack and absence of user interaction make it a high‑impact risk for any compromised device. The flaw is not listed in CISA’s KEV catalog, but its critical score warrants urgency. Exploitation requires only local access; an attacker could rapidly elevate privileges on the device by triggering the affected component through normal user actions.

Generated by OpenCVE AI on June 17, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security update that fixes the permission check error in SettingsLib.
  • Reduce local user privileges by disabling unnecessary permissions for non‑essential apps and tightening device admin controls.
  • Implement enterprise mobility management to enforce least‑privilege policies and continuously monitor for signs of privilege escalation.

Generated by OpenCVE AI on June 17, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T14:05:07.987Z

Reserved: 2025-10-15T15:40:55.499Z

Link: CVE-2026-0071

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:30:04Z

Weaknesses

No weakness.