CVE-2026-0046

Vulnerability

In the InputInterceptor component within Letterbox.java, a tapjacking or overlay attack vulnerability exists. This flaw allows an attacker to trick a user into accepting a permission prompt that appears to be from a legitimate application, but is actually an overlay controlled by the attacker. This vulnerability affects Android versions that include this component.

Exploitation

An attacker can exploit this vulnerability by presenting a malicious overlay that covers legitimate UI elements, specifically permission request dialogs. When the user interacts with the overlay, believing it to be part of the intended application, they inadvertently grant permissions to the attacker's application. User interaction is not needed for exploitation beyond the initial trickery.

Impact

Successful exploitation of this vulnerability can lead to a local privilege escalation. The attacker gains the permissions that the user was tricked into granting, without needing any additional execution privileges. This could allow an attacker to access sensitive data or perform actions on behalf of the user.

Mitigation

This vulnerability was addressed in the June 2026 Android Security Bulletin [1]. Users should ensure their devices are updated to receive the security patch. Specific fixed versions are detailed in the bulletin. No workarounds are mentioned, and it is not listed as end-of-life or on the Known Exploited Vulnerabilities (KEV) catalog.