Description
In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Android’s SettingsLib is caused by a missing permission check due to a logic error in the code. This allows a local user to obtain elevated privileges without performing any additional execution beyond normal use of the device. The resulting privilege escalation could enable the attacker to carry out privileged actions on the device. While the description does not explicitly state the confidentiality or integrity consequences, it is inferred that the elevated privileges might provide access to sensitive system data or allow modification of system configuration.

Affected Systems

The vulnerability impacts Google’s Android operating system, specifically the SettingsLib component that manages system settings. No specific Android version or build is mentioned, so any device running the affected component is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 10, the vulnerability is considered maximum severity. The EPSS score is below 1%, indicating a low probability of widespread exploitation. Based on the description, it is inferred that the likely attack vector is local execution on the device without user interaction or additional privileges. Because the flaw is not listed in CISA’s KEV catalog, its critical score underscores the urgency of addressing it.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android security update that corrects the permission check error in SettingsLib.
  • Reduce local user privileges by disabling unnecessary permissions for non‑essential apps and tightening device admin controls.
  • Implement enterprise mobility management to enforce least‑privilege policies and monitor for signs of privilege escalation.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in Android SettingsLib Leading to Local Privilege Escalation

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Local Privilege Escalation in Android SettingsLib
Weaknesses CWE-284

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Missing Permission Check Allows Local Privilege Escalation in Android SettingsLib
Weaknesses CWE-284

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-18T03:55:57.528Z

Reserved: 2025-10-15T15:40:55.499Z

Link: CVE-2026-0071

cve-icon Vulnrichment

Updated: 2026-06-17T14:05:05.297Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses