Zero Day MonitorZDM

← Back to list

8.6

CVE-2026-0007

google · android

In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no add

Description

In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
google	android	—

References

https://source.android.com/docs/security/bulletin/2026/2026-03-01

Related News (1 articles)

Tier C

oss-security2h ago

The GNU C Library security advisory update for 2026-03-30

→ No new info (linked only)

CVSS 3.18.6 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-1021, CWE-1021

PublishedMar 2, 2026

Last enriched3d ago

Trending Score27

Source articles1

Independent1

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-4677EXP

Inappropriate implementation in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity

HIGHCVE-2026-4680EXP

Use after free in FedCM in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-4673EXP

Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-4679EXP

Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

HIGHCVE-2026-4674EXP

Out of bounds read in CSS in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 2, 2026

Discovered by ZDM

Mar 26, 2026