Description
In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in Android's DomainVerificationService occurs in the approvalLevelForDomainInternal routine, allowing an attacker to hijack an arbitrary app link. This manipulation escalates privileges locally without requiring execution of additional code or user interaction, potentially granting the attacker elevated or root level privileges.

Affected Systems

The vulnerability affects the Google Android operating system, specifically the DomainVerificationService component. No specific Android version range is listed in the available data, so all releases employing this service could be impacted until a patch is released.

Risk and Exploitability

The CVSS score is not provided and the EPSS data is unavailable, but the flaw allows local privilege escalation directly through a logic bypass, meaning any device owner or user could be compromised with no further privileges or external trigger. The vulnerability is not listed in the CISA KEV catalog. Because the exploit requires only local access to the affected service, the risk remains significant for all users of vulnerable Android devices. The attack vector is inferred to be local, originating from a non‑trusted app or malicious link processed by the system.

Generated by OpenCVE AI on June 1, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Android security patch that corrects the DomainVerificationService logic flaw as soon as it becomes available.
  • If a patch is delayed, limit the use of app links by disabling or restricting DomainVerificationService handling for non‑trusted domains through system settings or a managed profile.
  • Enable detailed logging for DomainVerificationService events and regularly inspect logs for anomalous app‑link redirections.

Generated by OpenCVE AI on June 1, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via App Link Hijacking in Android Domain Verification
First Time appeared Google
Google android
Weaknesses CWE-284
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T13:15:21.872Z

Reserved: 2025-10-15T15:42:44.499Z

Link: CVE-2026-0087

cve-icon Vulnrichment

Updated: 2026-06-02T13:15:15.511Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:22.450

Modified: 2026-06-02T14:16:42.750

Link: CVE-2026-0087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T22:45:25Z

Weaknesses