CVE-2026-28586
Description
A missing permission check in Android's AppOpsService allows local information disclosure without user interaction or execution privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Android's AppOpsService allows local information disclosure without user interaction or execution privileges.
Vulnerability
In multiple functions within AppOpsService.java, a missing permission check creates a permissions bypass vulnerability. This affects Android versions prior to the June 2026 security update. User interaction is not required for exploitation.
Exploitation
An attacker with local access to the affected device can exploit this vulnerability by triggering the vulnerable code path within AppOpsService.java. No special privileges or user interaction are needed.
Impact
Successful exploitation allows an attacker to gain unauthorized access to local information. The vulnerability does not grant additional execution privileges, meaning the attacker's access is limited to information disclosure.
Mitigation
This vulnerability is addressed in the June 2026 Android Security Bulletin [1]. Users should update their devices to the patched version. No workarounds are described in the available references.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.