CVE-2026-28580: Android Local Privilege Escalation via Bounds Check Flaw
CVE-2026-28580 is a local privilege escalation vulnerability affecting Google Android. An attacker with basic user-level access to a device can exploit an incorrect bounds check in multiple persistence-related functions to gain elevated privileges without requiring additional capabilities or interaction from the user. The issue stems from a synchronization problem that allows the attacker to manipulate persistent data in an unexpected way, ultimately escalating their permissions on the system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-120
- Affected products
- 4 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability involves a desynchronization flaw in persistence mechanisms across multiple functions within Android, caused by inadequate bounds validation. The CWE-120 classification (buffer copy without checking size of input—'classic buffer overflow') indicates that improper size checks allow out-of-bounds operations. An attacker with local access can trigger this condition to corrupt or manipulate privileged state, crossing privilege boundaries without needing execute-level permissions initially. The attack surface is local-only; there is no network component.
Business impact
Device compromise poses significant risk to enterprise deployments. An attacker gaining local escalation can access sensitive user data, modify system settings, install persistent malware, or intercept communications. For organizations managing Android devices—especially in bring-your-own-device (BYOD) environments—this vulnerability could allow lateral movement to corporate networks if the device is trusted. The lack of user interaction required means exploitation can occur silently during normal device operation, making detection and attribution difficult.
Affected systems
Google Android is the affected platform. The vulnerability affects multiple functions within the persistence subsystem. All Android versions and devices running vulnerable code are potentially at risk; consult Google's security advisory for precise version coverage and affected device models. This includes stock Android and device-specific implementations that have not yet received patches.
Exploitability
Exploitability is straightforward for a local attacker. The attack requires only basic user-level privileges on the device—no special system permissions, physical interaction, or social engineering is required. The vulnerability is triggered through normal system calls or application behavior that interacts with the affected persistence functions. Because no user interaction is needed, the exploitation window is wide: a malicious app or compromised process can trigger the flaw automatically. The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of easy local access, complete confidentiality/integrity/availability impact, and absence of user interaction.
Remediation
Apply security updates from Google as soon as they become available. Google typically delivers Android patches monthly via the Android Security & Maintenance Release (ASMR) bulletin. Device manufacturers and carriers may introduce additional delays. For organization-managed devices, enforce policy requiring devices to be running the latest security patch level. Check the official Android Security & Maintenance bulletin at source.android.com/security for patch release dates and affected version ranges.
Patch guidance
Monitor Google's official Android security advisories for the specific patch version addressing CVE-2026-28580. Patches are typically delivered to Pixel devices first, followed by broader rollout to carrier-managed and OEM devices. For enterprise environments, coordinate with device management (MDM) vendors to ensure patch distribution policies automatically deploy updates. Verify patch application by checking the device's security patch level in Settings > About Phone > Android Security & Maintenance Release (or similar, depending on Android version). Consider enforcing a maximum-age policy for security patches in your device security posture.
Detection guidance
Detection at the system level is challenging because the flaw involves in-memory state corruption rather than network activity. Monitor for suspicious privilege escalation events in audit logs (if available on managed devices). On Android, enable and review SELinux denials and privilege escalation attempts via logcat or enterprise logging. Application-level detection is difficult without vendor-supplied detection signatures. Rely primarily on ensuring devices are current with patches and employing endpoint detection and response (EDR) tools that monitor for unusual process behavior after exploitation. Behavioral indicators may include unexpected system service restarts, rapid permission acquisitions, or unusual file system modifications by apps.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH severity, lack of exploitation barriers, and silent nature. The CVSS 7.8 score reflects complete impact across confidentiality, integrity, and availability. Unlike vulnerabilities requiring specific permissions or user interaction, this flaw can be exploited passively. For organizations deploying Android in security-sensitive roles—healthcare, finance, or government—or managing BYOD fleets, timely patching is critical. The absence of a public exploit does not diminish urgency; local privilege escalation vulnerabilities are frequently weaponized post-disclosure.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) is justified by: Attack Vector (Local/AV:L) reflecting the requirement for pre-existing local access; Attack Complexity (Low/AC:L) indicating the flaw is straightforward to trigger; Privileges Required (Low/PR:L) requiring only basic user-level rights; User Interaction (None/UI:N) showing no user action is needed; Scope (Unchanged/S:U) as the impact is confined to the system; and High impact across Confidentiality, Integrity, and Availability (C:H/I:H/A:H) due to complete privilege escalation. The score reflects a serious local threat that does not require exceptional skill or situational luck to exploit.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-28580 is strictly a local privilege escalation vulnerability. An attacker must already have user-level access to the device (e.g., via a malicious app, compromised user account, or previous vulnerability). It cannot be exploited over the network.
Do I need to do anything immediately if I am running an affected Android version?
Yes. Check Google's official Android security advisory to confirm your device version is affected. If it is, prioritize installing the latest Android security patch. For enterprise devices, work with your MDM vendor to ensure automatic patch deployment. For personal devices, enable automatic system updates in Settings.
What is the difference between this vulnerability and a buffer overflow?
This is a type of buffer-related vulnerability (CWE-120), but the specific flaw is an incorrect bounds check in persistence logic that causes desynchronization—meaning the system's understanding of valid data boundaries becomes corrupted. The consequence is privilege escalation rather than a classic memory corruption crash.
If my device is patched, am I at risk?
No. Once you apply the security patch addressing CVE-2026-28580, the bounds check is corrected and the vulnerability is mitigated. Ensure you verify the patch level in your device's security settings and keep automatic updates enabled.
This analysis is provided for informational purposes and reflects publicly available information as of the vulnerability publication date. Security research, vendor patches, and threat intelligence evolve continuously. Verify all patch versions, affected products, and remediation guidance against official vendor advisories before implementing changes. SEC.co does not assume liability for decisions made based on this analysis. Consult with your security team and device manufacturers for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0056LOWAndroid ResourceTypes.cpp Out-of-Bounds Read Information Disclosure
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler