By weakness (CWE)
CWE-1021: related vulnerabilities
CVEs classified under CWE-1021. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
3 published vulnerabilities
- CVE-2026-0036HIGH 7.8
CVE-2026-0036 is a tapjacking vulnerability in Android's StageCoordinator animation handler that allows a malicious app to escalate privileges without requiring user interaction or special permissions. An attacker with a local account on the device can overlay transparent windows to intercept touch events or manipulate the animation state, gaining unauthorized access to sensitive device functions and data. The vulnerability affects multiple Android versions and is rated HIGH severity due to its direct path to privilege escalation.
- CVE-2026-28577HIGH 7.8
A vulnerability in Android's window management system allows a locally authenticated attacker to perform a tapjacking attack—placing hidden overlay windows on top of legitimate applications to intercept user input or actions. This attack doesn't require user interaction to trigger and can result in unauthorized privilege escalation. The attacker needs only local access to the device (such as through an installed app), making it a practical threat in real-world scenarios.
- CVE-2026-0061MEDIUM 5.9
CVE-2026-0061 is a privilege escalation vulnerability in Android's WindowState component that allows an attacker to manipulate the permission-granting UI through overlay attacks (tapjacking). By displaying a malicious overlay on top of the system permission dialog, an attacker can trick users into granting sensitive permissions without explicit awareness. The critical aspect is that this requires no special execution privileges and no user interaction in the traditional sense—the attack succeeds through visual deception rather than social engineering or code execution exploits.