Description
In multiple functions of AppOpsService.java, there is a possible missing permission check due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in AppOpsService.java where a permission check has been omitted. This omission permits local users to read sensitive information without acquiring additional privileges or performing any user interaction, thereby compromising confidentiality.

Affected Systems

All Google Android devices that run affected Android operating system versions. The precise version range is not disclosed in the advisory.

Risk and Exploitability

Because the flaw is local and requires no elevated privileges, an attacker with physical or local access can exploit it. The CVSS base score of 3.3 indicates low severity. The EPSS score is not available and the vulnerability is not listed in the KEV catalog, indicating no known active exploitation yet. Nonetheless, the severity of a confidentiality breach warrants prompt attention, and the lack of user interaction lowers the barrier for misuse.

Generated by OpenCVE AI on June 2, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch that enhances AppOpsService permission checks, thereby addressing the improper restriction of operations (CWE-269).
  • If an immediate update is not possible, enforce a device administration policy that limits privileged application access to AppOpsService, mitigating the improper restriction of operations (CWE-269).
  • Enable comprehensive auditing of AppOpsService operations to detect unauthorized reads, supporting detection of misuses related to the access control weakness.

Generated by OpenCVE AI on June 2, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Title Permission Check Bypass in Android AppOpsService Allows Local Information Disclosure

Tue, 02 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in AppOpsService Leading to Local Information Disclosure
Weaknesses CWE-284

Mon, 01 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Missing Permission Check in AppOpsService Leading to Local Information Disclosure
First Time appeared Google
Google android
Weaknesses CWE-284
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions of AppOpsService.java, there is a possible missing permission check due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T22:37:41.835Z

Reserved: 2026-03-02T19:11:00.351Z

Link: CVE-2026-28586

cve-icon Vulnrichment

Updated: 2026-06-01T22:26:08.330Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:25.213

Modified: 2026-06-01T23:16:22.800

Link: CVE-2026-28586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:00:13Z

Weaknesses