Description
In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect bounds check in several persistence functions can desynchronize state, allowing a local user to elevate privileges without additional execution rights or user interaction. The flaw allows manipulation of data that the system trusts, potentially granting the attacker root or system-level access and compromising confidentiality, integrity, and availability of the device. This flaw is classified under the common weakness enumeration identifier CWE-120.

Affected Systems

Google Android devices are impacted; no specific version information is provided in the advisory. The vulnerability applies to the core Android system components that handle persistence.

Risk and Exploitability

The vulnerability poses a high risk due to its nature as a local privilege escalation. The vulnerability has a CVSS score of 7.8, and the EPSS score is unavailable, but the lack of user interaction and the potential for unauthenticated privilege escalation suggest a severe threat. The vulnerability is not listed in the CISA KEV catalog, and a public exploit has not been documented. Attackers would operate from a local context with existing user privileges and could exploit the bounds check failure to gain elevated rights.

Generated by OpenCVE AI on June 2, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android operating system update as soon as Google releases it.
  • If a patch is not yet available, disable or limit the use of the affected persistence features until a fix is deployed.
  • Regularly check Google’s security bulletin and apply any new updates promptly.

Generated by OpenCVE AI on June 2, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*

Tue, 02 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Local privilege escalation via desynchronization in Android persistence functions
Weaknesses CWE-129
CWE-284

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Local privilege escalation via desynchronization in Android persistence functions
First Time appeared Google
Google android
Weaknesses CWE-129
CWE-284
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T03:56:10.591Z

Reserved: 2026-03-02T19:10:53.531Z

Link: CVE-2026-28580

cve-icon Vulnrichment

Updated: 2026-06-01T22:28:10.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T22:16:25.013

Modified: 2026-06-02T18:03:24.700

Link: CVE-2026-28580

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:30:16Z

Weaknesses