Description
In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the resumeConfigurationDispatch method of ActivityRecord.java and enables a background application launch in the absence of proper control logic. This flaw can grant a local attacker elevated privileges without requiring additional execution permissions or user interaction. The flaw is an example of a logic error that can be exploited for privilege escalation, potentially allowing the attacker to perform actions normally restricted to higher-privileged processes.

Affected Systems

The affected products are Android systems provided by Google. No specific version information is supplied, so all Android installations that include the current ActivityRecord implementation are potentially vulnerable.

Risk and Exploitability

The CVE does not provide a CVSS score or EPSS value, but the lack of a user interaction requirement and the direct ability to gain higher privileges indicate a high risk to affected devices. The vulnerability is not listed in the CISA KEV catalog, yet its local nature means that any user with physical access can exploit it quickly.

Generated by OpenCVE AI on June 1, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Android to the latest security patch that addresses the logic flaw in ActivityRecord.java
  • If an immediate patch is not available, disable or restrict background app launching via device administration or enterprise mobility management (EMM) policies
  • Remove or limit privileged applications that can initiate background launches on the device

Generated by OpenCVE AI on June 1, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Android Activity Background Launch Logic Flaw
First Time appeared Google
Google android
Weaknesses CWE-665
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T13:58:08.646Z

Reserved: 2025-10-15T15:41:04.245Z

Link: CVE-2026-0077

cve-icon Vulnrichment

Updated: 2026-06-02T13:57:23.041Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:21.840

Modified: 2026-06-02T14:16:42.403

Link: CVE-2026-0077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T22:45:25Z

Weaknesses