CVE-2026-0013 Overview
CVE-2026-0013 is a local privilege escalation vulnerability in Google Android. The flaw resides in the setupLayout method of PickActivity.java within the DocumentsUI component. A confused deputy condition allows a local attacker to start arbitrary activities with the privileges of the DocumentsUI app. Exploitation requires no user interaction and no additional execution privileges. The vulnerability affects Android 14, 15, and 16, and is classified under [CWE-441: Unintended Proxy or Intermediary (Confused Deputy)].
Critical Impact
Local applications can leverage DocumentsUI as a confused deputy to launch privileged activities, resulting in elevation of privilege without user interaction.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0
Discovery Timeline
- 2026-03-02 - CVE-2026-0013 published to NVD
- 2026-03-06 - Last updated in NVD database
Technical Details for CVE-2026-0013
Vulnerability Analysis
The vulnerability exists in the setupLayout function of PickActivity.java, a component of the Android DocumentsUI system app. DocumentsUI is the privileged system service that mediates file picking and document access across Android applications. The flaw is categorized as a confused deputy issue, where a privileged component performs an action on behalf of a less-privileged caller without correctly validating the caller's authority. An unprivileged local application can craft an intent that causes DocumentsUI to start an activity the caller could not start directly. The downstream activity inherits the system privilege context of DocumentsUI rather than the originating app, breaking the Android permission boundary.
Root Cause
The root cause is insufficient validation of caller-supplied intent parameters within setupLayout. The method forwards the intent into an activity launch path without verifying that the originating UID is authorized to invoke the target component. Because DocumentsUI runs with elevated privileges, the launched activity executes in a context the attacker could not otherwise obtain.
Attack Vector
Exploitation is local. A malicious application installed on the device crafts an intent and delivers it to DocumentsUI. The vulnerable setupLayout flow processes the intent and starts the attacker-chosen activity as the DocumentsUI app. No user interaction is required, and the malicious app needs no special Android permissions to trigger the path. The result is local elevation of privilege bounded by the rights granted to DocumentsUI. Technical details are documented in the Android Security Bulletin March 2026.
Detection Methods for CVE-2026-0013
Indicators of Compromise
- Unexpected activity launches attributed to the DocumentsUI package (com.android.documentsui) that originate from intents supplied by third-party applications.
- Installation of recently sideloaded or untrusted applications immediately preceding anomalous DocumentsUI activity transitions in logcat.
- System log entries showing PickActivity starting components that are not part of standard document-picker workflows.
Detection Strategies
- Monitor Android device telemetry for unusual intent chains where DocumentsUI launches non-document-handling activities.
- Inspect application install events for apps requesting document access APIs shortly before privilege-escalation indicators appear.
- Correlate ActivityManager logs with package install metadata to identify third-party apps targeting DocumentsUI as a launch proxy.
Monitoring Recommendations
- Enroll Android 14, 15, and 16 devices in a mobile threat defense or mobile device management (MDM) solution that surfaces patch level and abnormal IPC behavior.
- Track the device security patch level field and alert on devices that have not received the March 2026 Android Security Bulletin patches.
- Review enterprise app inventories for unsanctioned applications on devices that handle sensitive data.
How to Mitigate CVE-2026-0013
Immediate Actions Required
- Apply the March 2026 Android security patch level to all affected Android 14, 15, and 16 devices as soon as the OEM release is available.
- Restrict installation of applications from untrusted sources by disabling sideloading through MDM policy.
- Audit installed applications on managed devices and remove any unknown or unnecessary packages.
Patch Information
Google addressed CVE-2026-0013 in the March 2026 Android Security Bulletin. Device manufacturers integrate the fix into their monthly security patch level. Confirm that managed devices report a security patch level of 2026-03-01 or later. See the Android Security Bulletin March 2026 for the authoritative patch reference.
Workarounds
- No official workaround exists. Patching to the March 2026 security patch level is the only supported remediation.
- Until patching is complete, limit device exposure to untrusted applications by enforcing Google Play Protect and blocking installation from unknown sources.
- For high-risk users, restrict device profiles to a curated allowlist of enterprise-approved applications.
# Verify the Android security patch level on a managed device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-03-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
