CVE-2026-22078 PUBLISHED

O+ Connect's lack of authentication for IPC channels led to a local privilege escalation vulnerability.

Assigner: OPPO
Reserved: 06.01.2026 Published: 29.06.2026 Updated: 29.06.2026

Because O+ Connect's IPC service does not authenticate clients, external applications can escalate privileges and perform sensitive actions through the IPC channel.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H
CVSS Score: 7.3

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	OPPO
Product	O+ Connect
Versions	Default: unaffected Version 16.0.33 is affected

References

https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2070415238859333632

Problem Types

CWE-266 Incorrect privilege assignment CWE

Impacts

CAPEC-233 Privilege Escalation