In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In the DeviceId.java file, in the DeviceId method, range verification is missing during data operations. Omission of this check (CWE-120: buffer overflow) causes possible desynchronization in the data persistence mechanism. An attacker with local access to the device can exploit this irregularity without requiring user interaction or possession of elevated execution privileges.
An attacker can obtain local privilege escalation on a vulnerable Android device, potentially gaining control over system resources exceeding their original permission scope.
Security patches available from the manufacturer should be applied in accordance with references — Pixel Security Bulletin published 2026-03-01 at https://source.android.com/docs/security/bulletin/pixel/2026/2026-03-01
Google Android — versions indicated in manufacturer references (Pixel Security Bulletin from March 2026)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGoogle Android
OSGooglewszystkie wersje
Related vulnerabilities
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who ha...
Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application cr...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 150.0.7871.4...
Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed ...