By weakness (CWE)
CWE-269: related vulnerabilities
CVEs classified under CWE-269. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
11 published vulnerabilities
- CVE-2026-0009HIGH 7.8
A logic error in Android allows a local attacker to hijack touch input through tapjacking attacks, potentially gaining elevated privileges on the device. No special permissions or user interaction are required for exploitation, making this a direct path to privilege escalation for any app already running on the compromised system.
- CVE-2026-0089HIGH 7.8
CVE-2026-0089 is a vulnerability in Android's PackageInstallerService that allows a local attacker with basic user-level permissions to bypass security checks and install applications without proper verification. Because the vulnerability exists in multiple functions that lack proper permission validation, an attacker can escalate their privileges by sidestepping the normal app installation safeguards. No user interaction or special device access is required to exploit this flaw once an attacker has obtained standard user privileges on the device.
- CVE-2026-0091HIGH 7.8
A privilege escalation vulnerability exists in Android where an over-privileged shell user can execute arbitrary code within the launcher process. An attacker with local access can exploit this weakness to gain elevated privileges without needing special execution rights or user interaction. This is a local-only threat that targets the core launcher functionality central to Android's user interface and app management.
- CVE-2026-0048MEDIUM 6.8
A vulnerability exists in Android's WindowState component that allows an attacker to overlay malicious UI on top of legitimate system dialogs, tricking users into granting permissions they did not intend to approve. The attack exploits a tapjacking technique where touch inputs are intercepted and misdirected. No special privileges or user awareness is required for the attack to succeed, making it a local but potentially high-impact privilege escalation vector.
- CVE-2026-0086MEDIUM 6.8
A vulnerability in Android's DisableSupervisionActivity allows an attacker to delete supervision data on a device by exploiting a missing null check in the onCreate method. This flaw enables local privilege escalation without requiring any special permissions or user interaction, meaning the exploit could trigger automatically during normal device operation. The vulnerability affects multiple Android versions and has a medium severity rating.
- CVE-2026-10217MEDIUM 6.3
A privilege management flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to escalate their access or perform unauthorized actions. The vulnerability affects the RoleAdmin Gateway component, specifically in how it handles configuration saves. An attacker with valid credentials can exploit this remotely to gain elevated permissions or manipulate role-based access controls, potentially affecting data confidentiality, integrity, and availability.
- CVE-2026-0046MEDIUM 6.2
CVE-2026-0046 is a local privilege escalation vulnerability affecting Google Android that exploits a weakness in the InputInterceptor component of Letterbox.java. An attacker can overlay malicious UI elements on top of legitimate permission prompts, tricking users into granting permissions they did not intend to approve. What makes this particularly concerning is that exploitation requires no special system privileges and occurs without user awareness—the victim merely sees what appears to be a normal permission dialog. The result is unauthorized elevation of the attacker's application privileges within the Android system.
- CVE-2026-0055MEDIUM 6.2
A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.
- CVE-2026-0016LOW 3.3
A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.
- CVE-2026-0050LOW 3.3
CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.
- CVE-2026-28586LOW 3.3
CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.