Google Android: Four Privilege Escalation Flaws Disclosed June 1st
Google patched four privilege escalation vulnerabilities in Android, disclosed on June 1st, 2026, impacting various system components.
Key findings
- Four Android vulnerabilities disclosed on June 1st, 2026, all enabling privilege escalation.
- High-severity CVE-2026-0097 allows remote privilege escalation via Bluetooth LE pairing bypass.
- CVE-2025-48570 exploits a confused deputy flaw to launch activities from the background.
- Other flaws include bypassing screen pinning (CVE-2025-48616) and cross-user URI access (CVE-2025-22426).
- Exploitation for all disclosed vulnerabilities does not require user interaction.
On June 1st, 2026, a batch of four vulnerabilities affecting Google's Android operating system was disclosed, all carrying the potential for privilege escalation. These issues, ranging in severity from low to high, highlight persistent logic errors and deputy confusion flaws within core Android components.
One of the more significant vulnerabilities, CVE-2026-0097, is rated as High severity with a CVSSv3 score of 8.0. This flaw resides in multiple locations within the Android Bluetooth stack, specifically related to LE device pairing. A logic error allows for a bypass of user interaction, enabling remote (proximal/adjacent) escalation of privilege without requiring additional execution privileges. This means an attacker in close proximity could potentially gain higher system access without the user's explicit consent or action.
Another notable vulnerability, CVE-2025-48570, stems from a confused deputy vulnerability within the PipTaskOrganizer.java component. This issue allows for an activity to be launched from the background, leading to local privilege escalation. Similar to CVE-2026-0097, exploitation does not require additional execution privileges beyond what the attacker already possesses locally.
The remaining vulnerabilities, CVE-2025-48616 and CVE-2025-22426, also present local privilege escalation risks. CVE-2025-48616, rated Low severity (CVSSv3 3.3), involves a logic error in KeyguardViewMediator.java that permits bypassing lockdown mode with screen pinning, potentially leading to local information disclosure. CVE-2025-22426, found in ComputerEngine.java, is due to a logic error that allows access to URIs across different user profiles on the device, resulting in local privilege escalation.
All four vulnerabilities were disclosed on the same day, indicating a coordinated disclosure or a single discovery and patching cycle by Google. The descriptions suggest that user interaction is not required for exploitation in any of these cases, increasing their potential impact. The affected components range from Bluetooth pairing mechanisms to screen pinning and inter-user data access, underscoring the breadth of potential attack vectors within the Android ecosystem.
Details regarding specific affected Android versions and the exact patch release were not immediately available at the time of disclosure. However, given the nature of privilege escalation vulnerabilities, users are strongly advised to apply any available Android security updates as soon as they are released by Google or their device manufacturer. Staying current with security patches is the primary defense against such flaws.