Description
In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the getAppLabel method of ForgetDeviceDialogFragment.java, where the interface can mislead a user into forgetting a device. This mislabeling can lead to local escalation of privilege because the device’s management functions can be accessed or altered without the need for additional execution permissions. The weakness is a type of improper restriction of a feature or function, as noted by the CWE-451 identifier.

Affected Systems

Affected are Android devices that run the Google Android platform and include the ForgetDeviceDialogFragment component. No specific version information is provided, so all builds containing the vulnerable code path may be impacted. Refer to the Android security bulletin for patch details.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is not available, but the CVE notes that user interaction is not needed for exploitation, suggesting an attacker with local access can trigger the flaw automatically, possibly through another application or system process. The vulnerability is not listed in the CISA KEV catalog, implying no widely known active exploitation yet, but the ability to achieve local privilege escalation makes it a serious risk for affected devices.

Generated by OpenCVE AI on June 2, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security update that addresses the getAppLabel UI flaw
  • If an update is not yet available, disable the Forget Device feature via device‐management policy or local configuration
  • Monitor device management logs for unexpected device removal events and investigate any suspicious activity

Generated by OpenCVE AI on June 2, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Misleading UI Enables Local Privilege Escalation by Device Forgetting

Tue, 02 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Misleading UI in Forget Device Dialog
Weaknesses CWE-200
CWE-863

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Misleading UI in Forget Device Dialog
First Time appeared Google
Google android
Weaknesses CWE-200
CWE-863
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T22:55:25.182Z

Reserved: 2025-10-15T15:42:57.649Z

Link: CVE-2026-0096

cve-icon Vulnrichment

Updated: 2026-06-01T22:53:50.419Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:23.333

Modified: 2026-06-01T23:16:17.520

Link: CVE-2026-0096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:00:13Z

Weaknesses