The vulnerability exists in the validateNode function within ResourceTypes.cpp, where an incorrect bounds check allows an out‑of‑bounds read. This flaw can be exploited to gain elevated privileges on the device without requiring any additional execution privileges. The impact is a local privilege escalation that could allow a malicious app or user to perform actions normally restricted to higher‑privileged components.

This flaw affects Google Android devices running Android 14.0, 15.0, 16.0, and the Android 16.0 qpr2 beta releases 1, 2, and 3. The issue resides in the source code referenced by the Android security bulletin for 2026‑06‑01.

The exploit requires only local access and does not require user interaction or network connectivity. The CVSS score is 7.8, indicating a high severity vulnerability. The EPSS score of less than 1% indicates a very low exploitation probability. While the vulnerability is not listed in the CISA KEV catalog, the nature of the flaw suggests a potentially significant risk for affected devices. An attacker who can run code locally may read protected memory and elevate privileges, potentially leading to full system compromise. The lack of publicly reported exploits does not reduce the inherent risk associated with such a flaw.