Description
In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the validateNode function within ResourceTypes.cpp, where an incorrect bounds check allows an out‑of‑bounds read. This flaw can be exploited to gain elevated privileges on the device without requiring any additional execution privileges. The impact is a local privilege escalation that could allow a malicious app or user to perform actions normally restricted to higher‑privileged components.

Affected Systems

This flaw affects Google Android devices. No specific Android versions are enumerated in the CNA data, but the issue resides in the source code referenced by the Android security bulletin for 2026‑06‑01.

Risk and Exploitability

The exploit requires only local access and does not require user interaction or network connectivity. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the nature of the flaw suggests a high severity risk for affected devices. An attacker who can run code locally may read protected memory and elevate privileges, potentially leading to full system compromise. The lack of publicly reported exploits does not reduce the inherent risk associated with such a flaw.

Generated by OpenCVE AI on June 1, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest Android OS release that contains the fix for this out‑of‑bounds read in ResourceTypes.cpp.
  • Apply the principle of least privilege by ensuring that all applications run with the minimum permissions required to function.
  • Monitor device logs for anomalous memory access patterns or unexpected privilege changes as an early warning of exploitation attempts.

Generated by OpenCVE AI on June 1, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title ResourceTypes.cpp Out-of-Bounds Read Causing Local Privilege Escalation
Weaknesses CWE-119
CWE-788

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T14:25:31.658Z

Reserved: 2025-10-15T15:41:02.147Z

Link: CVE-2026-0076

cve-icon Vulnrichment

Updated: 2026-06-02T12:47:07.431Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:21.747

Modified: 2026-06-02T14:16:42.207

Link: CVE-2026-0076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T23:15:07Z

Weaknesses