Google Android AppInfoBase Java Code Allows Unauthorized Access

Summary

A security issue in Google Android's AppInfoBase Java code allows an attacker to gain unauthorized access to sensitive information or take actions that should be restricted to other users, potentially escalating their privileges on the device without needing any additional permissions or user interaction.

What to do

Update google platform/packages/apps/settings to version 16-qpr2-next:2026-03-01.
Update google platform/packages/apps/settings to version 15:2026-03-01.
Update google platform/packages/apps/settings to version 16:2026-03-01.
Update google platform/packages/apps/settings to version 16-qpr2:2026-03-01.
Update google platform/packages/apps/settings to version 14:2026-03-01.

Affected software

Vendor	Product	Affected versions	Fix available
google	android	14.0	–
google	android	15.0	–
google	android	16.0	–
google	android	16.0	–
google	android	16.0	–
google	android	16.0	–
google	platform/packages/apps/settings	> 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01	16-qpr2-next:2026-03-01
google	platform/packages/apps/settings	> 15:0 , <= 15:2026-03-01	15:2026-03-01
google	platform/packages/apps/settings	> 16:0 , <= 16:2026-03-01	16:2026-03-01
google	platform/packages/apps/settings	> 16-qpr2:0 , <= 16-qpr2:2026-03-01	16-qpr2:2026-03-01
google	platform/packages/apps/settings	> 14:0 , <= 14:2026-03-01	14:2026-03-01

Original title

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no addi...

Original description

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

nvd CVSS3.1 8.4

Vulnerability type

CWE-441