CVE-2026-0012 Overview
CVE-2026-0012 is an information disclosure vulnerability in Google Android's ExpandableNotificationRow.java component. A logic error in the setHideSensitive function can lead to the unintended exposure of contact names through the notification system. This vulnerability allows local information disclosure without requiring additional execution privileges or user interaction.
Critical Impact
Sensitive contact information can be leaked through Android's notification system due to improper handling of sensitive data visibility, potentially exposing private user data to unauthorized local processes.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0
Discovery Timeline
- 2026-03-02 - CVE-2026-0012 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-0012
Vulnerability Analysis
This vulnerability exists within the setHideSensitive method of ExpandableNotificationRow.java, a core component of Android's notification display system. The function is responsible for controlling whether sensitive content—such as contact names, message previews, and other personal information—should be hidden when the device is locked or when the user has configured privacy settings to conceal notification contents.
The logic error causes the system to improperly evaluate the conditions under which sensitive data should be hidden. As a result, contact names that should be concealed based on user privacy preferences or device lock state may be inadvertently displayed or made accessible to local processes. The vulnerability can be exploited locally without requiring any special privileges or user interaction, making it particularly concerning for multi-user device scenarios or environments where malicious local applications may be present.
Root Cause
The root cause is a logic error within the setHideSensitive function in ExpandableNotificationRow.java. The code fails to properly enforce the hiding of sensitive notification content under certain conditions, leading to information leakage. This represents a CWE-284 (Improper Access Control) weakness where the access control mechanism for sensitive notification data does not function as intended.
Attack Vector
The attack vector is local, meaning an attacker would need access to the device or the ability to execute code on the device. A malicious application running on the same device could potentially exploit this vulnerability to access contact names that should be hidden according to the user's privacy settings. The exploitation requires no user interaction and no additional privileges, making it relatively straightforward for a local attacker to leverage.
Detection Methods for CVE-2026-0012
Indicators of Compromise
- Unusual access patterns to notification data by third-party applications
- Applications querying notification listener services without clear business need
- Unexpected data exfiltration from notification-related system components
Detection Strategies
- Monitor for applications requesting NotificationListenerService permissions that may attempt to capture sensitive notification content
- Implement application behavior analysis to detect apps reading notification data outside of expected patterns
- Review device logs for anomalies in ExpandableNotificationRow component behavior
Monitoring Recommendations
- Enable enhanced logging for notification system components on managed devices
- Deploy mobile threat defense solutions capable of detecting suspicious notification access patterns
- Regularly audit installed applications for excessive or suspicious permission usage
How to Mitigate CVE-2026-0012
Immediate Actions Required
- Apply the March 2026 Android Security Bulletin patches immediately
- Review and restrict applications with notification access permissions
- Consider disabling notification content on lock screen until patched
- Audit third-party applications for suspicious behavior related to notifications
Patch Information
Google has addressed this vulnerability in the Android Security Bulletin March 2026. Device manufacturers and carriers should incorporate these patches into their device updates. End users should apply the latest security updates for their Android devices as soon as they become available from their device manufacturer or carrier.
Workarounds
- Navigate to Settings > Notifications and disable "Sensitive notification content" from appearing on the lock screen
- Review and remove notification access for untrusted applications via Settings > Apps > Special app access > Notification access
- Consider restricting installation of applications from unknown sources
- Use device encryption to add an additional layer of protection for stored data
# ADB command to check notification listener services (for security auditing)
adb shell dumpsys notification | grep -A 5 "NotificationListeners"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
