There is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
The vulnerability is classified as CWE-787 (out of bounds write) and results from omission of buffer boundary checks before data writing. An attacker with local access to the device can trigger a write operation outside the permitted memory area, allowing manipulation of data structures or code in the process memory. The lack of any user interaction requirement and the lack of need for additional execution privileges significantly lower the entry threshold for the attacker.
An attacker can achieve privilege escalation on the local device, potentially taking control of the operating system or its critical components. In a maximum threat scenario, complete takeover of the device is possible.
Security patches available from the manufacturer should be applied according to references — Pixel Security Bulletin available at: https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
Google Android — versions indicated in manufacturer references (Pixel Security Bulletin from March 2026)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XGoogle Android
OSGooglewszystkie wersje
Related vulnerabilities
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...