Description
In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in Android's DomainVerificationService occurs in the approvalLevelForDomainInternal routine, allowing an attacker to hijack an arbitrary app link. This manipulation escalates privileges locally without requiring execution of additional code or user interaction, potentially granting the attacker elevated privileges, as explicitly described in the vulnerability statement.

Affected Systems

The vulnerability affects the Google Android operating system, specifically the DomainVerificationService component. No specific Android version range is listed in the available data, so all releases employing this service could be impacted until a patch is released.

Risk and Exploitability

The CVSS score is 7.8 and the EPSS score is < 1%, suggesting a moderate‑to‑severe vulnerability but with a low probability of exploitation in the wild. The flaw allows local privilege escalation directly through a logic bypass, meaning any device owner or user could be compromised with no further privileges or external trigger. The vulnerability is not listed in the CISA KEV catalog. Because the exploit requires only local access to the affected service, the risk remains significant for all users of vulnerable Android devices. The attack vector is inferred to be local, originating from a non‑trusted app or malicious link processed by the system.

Generated by OpenCVE AI on June 2, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch that corrects the DomainVerificationService logic flaw as soon as it becomes available.
  • If a patch is delayed, limit the use of app links by disabling or restricting DomainVerificationService handling for non‑trusted domains through system settings or a managed profile.
  • Enable detailed logging for DomainVerificationService events and regularly inspect logs for anomalous app‑link redirections.

Generated by OpenCVE AI on June 2, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 02 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Logic Error in Android DomainVerificationService Allows Local Privilege Escalation

Tue, 02 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via App Link Hijacking in Android Domain Verification
Weaknesses CWE-284

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via App Link Hijacking in Android Domain Verification
First Time appeared Google
Google android
Weaknesses CWE-284
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-03T03:55:22.016Z

Reserved: 2025-10-15T15:42:44.499Z

Link: CVE-2026-0087

cve-icon Vulnrichment

Updated: 2026-06-02T13:15:15.511Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:22.450

Modified: 2026-06-03T16:59:07.300

Link: CVE-2026-0087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T19:15:16Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure