Description
In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a confusion in the getCallingPackageName method of Android's Shared.java. Attackers can run an application that bypasses the system’s activity‑start restrictions, allowing the app to launch privileged activities as though it had higher permissions. This bypass can be achieved without any additional execution privileges or user interaction, resulting in local privilege escalation. The weakness is identified as CWE‑441, Confused Deputy.

Affected Systems

The issue affects Android devices that include the Shared.java framework component. The advisory does not specify particular Android releases, so all currently shipping Android versions that have this component could be vulnerable until the patch is applied. Google explicitly references the issue in their 2026‑06 security bulletin.

Risk and Exploitability

The attack vector is local and does not require remote code execution. An attacker can embed the exploit in a malicious app or exploit an existing app with the right permissions to trigger the bypass. Because the EPSS score is not available and the vulnerability is not in CISA’s KEV catalog, the immediate likelihood of exploitation is uncertain, yet the CVSS score of 7.8 signals a high severity local privilege escalation that could elevate a device’s attacker capabilities.

Generated by OpenCVE AI on June 2, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android update referenced in Google's 2026‑06 security bulletin
  • Patch the Shared.java component by installing the latest Android version; ensure that the fix is in place
  • Review and enforce strict startActivity permission checks in applications; avoid relying on Shared.java for privileged launches
  • Deploy device monitoring or logging to detect and block unauthorized startActivity calls from untrusted sources

Generated by OpenCVE AI on June 2, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Activity Start Restriction Bypass in Shared.java Enables Local Privilege Escalation

Tue, 02 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Android Activity Start Restriction Bypass Allowing Local Privilege Escalation
Weaknesses CWE-640

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-441
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Android Activity Start Restriction Bypass Allowing Local Privilege Escalation
First Time appeared Google
Google android
Weaknesses CWE-640
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T22:44:29.965Z

Reserved: 2025-10-15T15:43:00.826Z

Link: CVE-2026-0098

cve-icon Vulnrichment

Updated: 2026-06-01T22:44:22.877Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:23.540

Modified: 2026-06-01T23:16:17.807

Link: CVE-2026-0098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:00:13Z

Weaknesses