This vulnerability arises from an out‑of‑bounds write caused by a heap buffer overflow in the LoadedArsc.cpp component of Android. The flaw allows a local attacker to overwrite neighbouring memory on the heap, potentially modifying program state or crafting data that alters control flow. The impact is a local escalation of privilege, meaning an attacker who already has a user‑level session can obtain higher permissions without executing arbitrary code or requiring additional privileges. The weakness involves a heap buffer overflow (CWE-122) that results in an out‑of‑bounds write.

Google Android devices are affected, with the specific affected versions not disclosed in the advisory. The vulnerability resides in the core platform component for resource extraction, so all installations that include this code are potentially impacted.

The severity of the flaw is quantified by a CVSS score of 7.8. The EPSS score is not available, indicating that while exploitation potential exists, there is no publicly known or documented exploitation activity at this time. The flaw is local; it does not require network or user interaction, but any user with physical access or the ability to sideload applications that exercise the faulty loader can exploit it. Google has not listed it in the CISA KEV catalog, though the lack of such listing does not remove the risk. Potential attackers would most likely trigger the overflow by loading specially crafted ARSC files or by abusing an app that uses the resource extraction API in a vulnerable manner.