{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0013", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "state": "PUBLISHED", "assignerShortName": "google_android", "dateReserved": "2025-10-15T15:38:43.799Z", "datePublished": "2026-03-02T18:42:38.389Z", "dateUpdated": "2026-03-06T03:48:42.313Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Android", "vendor": "Google", "versions": [{"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.</p>"}], "value": "In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "problemTypes": [{"descriptions": [{"description": "Elevation of privilege", "lang": "en"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:48:42.313Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-441", "lang": "en", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-0013"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T04:56:51.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-02T21:26:26.933070Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-441", "description": "CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T21:26:18.127Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.7.1"}, "descriptions": [{"lang": "en", "value": "In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "value": "<p>In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Elevation of privilege"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-03-06T03:48:42.313Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0013", "state": "PUBLISHED", "dateUpdated": "2026-03-06T03:48:42.313Z", "dateReserved": "2025-10-15T15:38:43.799Z", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "datePublished": "2026-03-02T18:42:38.389Z", "assignerShortName": "google_android"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In setupLayout of PickActivity.java, there is a possible way to start any activity as a DocumentsUI app due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}, {"lang": "es", "value": "En setupLayout de PickActivity.java, existe una forma posible de iniciar cualquier actividad como una aplicaci\u00f3n DocumentsUI debido a un delegado confuso. Esto podr\u00eda llevar a una escalada local de privilegios sin necesidad de privilegios de ejecuci\u00f3n adicionales. La interacci\u00f3n del usuario no es necesaria para la explotaci\u00f3n."}], "id": "CVE-2026-0013", "lastModified": "2026-03-06T04:16:03.697", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T19:16:29.803", "references": [{"source": "security@android.com", "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-441"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "14"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-16T14:25:42.437332+00:00", "value": {"mitigation_remediation": ["Apply the Android security patch released in the March\u202f2026 Security Bulletin to update the affected OS versions", "If immediate OS update is not possible, use device\u2011policy controls to restrict the DocumentsUI component so only system\u2011privileged applications can launch it", "Revoke or uninstall any third\u2011party applications that may abuse PickActivity behaviour until the patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Android operating systems 14.0, 15.0, and 16.0, as identified by the associated CPE strings. All devices running these Android releases are potentially impacted until the security patch is applied.", "description_and_impact": "In the setupLayout method of PickActivity.java, a confused\u2011deputy flaw permits any application to start an activity as the DocumentsUI app without the need for additional execution privileges or user interaction. This flaw allows an attacker to execute arbitrary code with the higher permissions granted to the DocumentsUI context, effectively enabling a local escalation of privilege. The weakness is classified as CWE\u2011441: Confused Deputy.", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high severity vulnerability, however its EPSS score of less than 1\u2009% shows a very low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation is local and requires no user interaction; a malicious or compromised local application can trigger the flaw and gain higher privileges. The overall risk remains elevated due to the severity and the lack of user\u2011side defenses, but the likelihood of active exploitation is still low."}}}}, "created": "2026-03-03T08:41:40.051240+00:00", "title": "Local Privilege Escalation via Arbitrary Activity Launch in Android PickActivity", "updated": "2026-04-16T14:30:16.148571+00:00", "vendors": ["google", "google$PRODUCT$android"]}