CVE-2026-0013: Google Android Privilege Escalation Flaw

CVE-2026-0013 Overview

A confused deputy vulnerability exists in the setupLayout function of PickActivity.java within Google Android's DocumentsUI application. This security flaw allows a malicious application to leverage the DocumentsUI app's privileges to start arbitrary activities, effectively bypassing normal security restrictions. The vulnerability enables local privilege escalation without requiring any additional execution privileges or user interaction.

Critical Impact

Attackers can exploit this confused deputy vulnerability to escalate privileges locally, potentially gaining unauthorized access to protected system resources and sensitive data by impersonating the DocumentsUI application's trusted context.

Affected Products

• Google Android 14.0
• Google Android 15.0
• Google Android 16.0

Discovery Timeline

• 2026-03-02 - CVE CVE-2026-0013 published to NVD
• 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-0013

Vulnerability Analysis

This vulnerability represents a classic confused deputy attack scenario within Android's DocumentsUI component. The DocumentsUI application is a privileged system application responsible for providing a unified file picker interface across Android. Due to improper validation in the setupLayout method of PickActivity.java, the component can be tricked into performing privileged actions on behalf of an untrusted caller application.

The confused deputy pattern (CWE-441) occurs when a privileged program is manipulated by a less privileged entity to misuse its authority. In this case, a malicious application can craft specific intents that cause PickActivity to launch arbitrary activities under the DocumentsUI app's identity and permissions, effectively bypassing Android's permission model and sandbox isolation.

Root Cause

The root cause lies in insufficient validation of intent parameters within the setupLayout method of PickActivity.java. When processing incoming intents, the activity fails to properly verify that the requested action is legitimate and authorized. This allows attackers to specify arbitrary activity components that the DocumentsUI app will launch with its elevated privileges, rather than the caller's restricted permissions.

Attack Vector

The attack is executed locally on the device. A malicious application installed on the target Android device can exploit this vulnerability by sending specially crafted intents to the DocumentsUI's PickActivity component. The attack does not require any special permissions for the malicious application, nor does it require user interaction. When the malicious intent is processed, PickActivity inadvertently starts the attacker-specified activity with DocumentsUI's system-level privileges, enabling unauthorized access to protected resources or actions that would normally be restricted.

The vulnerability is exploited through Android's intent mechanism. A malicious application constructs an intent targeting PickActivity with parameters designed to redirect execution flow to an arbitrary activity component. Since DocumentsUI runs with elevated system privileges, the launched activity inherits these privileges, allowing actions that the attacking application could not perform directly.

Detection Methods for CVE-2026-0013

Indicators of Compromise

• Unusual activity launches originating from the DocumentsUI process targeting unexpected components
• Suspicious intent activity involving PickActivity.java with non-standard parameters or target components
• Unexpected privilege escalation events where unprivileged apps gain access to system-protected resources

Detection Strategies

• Monitor Android system logs for abnormal intent routing patterns involving DocumentsUI and PickActivity
• Implement runtime monitoring to detect privilege escalation attempts from untrusted applications
• Deploy endpoint detection solutions capable of identifying confused deputy exploitation patterns on Android devices

Monitoring Recommendations

• Enable verbose logging for the DocumentsUI application to capture all incoming intents and activity launches
• Configure alerts for unusual inter-process communication patterns involving system applications
• Regularly audit installed applications for behaviors consistent with privilege escalation attempts

How to Mitigate CVE-2026-0013

Immediate Actions Required

• Apply the Android security patch from the Android Security Bulletin March 2026 immediately
• Ensure all affected Android devices (versions 14.0, 15.0, and 16.0) are updated to the latest security patch level
• Audit installed applications and remove any untrusted or suspicious applications that could attempt exploitation

Patch Information

Google has released security updates addressing this vulnerability in the Android Security Bulletin March 2026. Device manufacturers should integrate these patches into their firmware updates. End users should ensure their devices are running the March 2026 security patch level or later to be protected against this vulnerability.

Workarounds

• Limit installation of applications to trusted sources (Google Play Store) with Google Play Protect enabled
• Enable runtime permission monitoring through Android's built-in security features
• Consider implementing mobile device management (MDM) solutions that can detect and prevent privilege escalation attempts
• Restrict app sideloading on enterprise-managed devices until patches are applied

Organizations using SentinelOne Singularity Mobile can leverage its real-time threat detection capabilities to identify exploitation attempts and malicious applications targeting this vulnerability before successful privilege escalation occurs.