CVE-2026-0021 Overview
CVE-2026-0021 is a local privilege escalation vulnerability affecting Google Android. The vulnerability exists in the hasInteractAcrossUsersFullPermission function of AppInfoBase.java, where a confused deputy attack pattern enables a cross-user permission bypass. This flaw allows an attacker to escalate privileges locally without requiring any additional execution privileges or user interaction.
Critical Impact
This vulnerability enables local privilege escalation through a cross-user permission bypass, potentially allowing malicious applications to access data and permissions belonging to other users on multi-user Android devices.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3 releases)
Discovery Timeline
- 2026-03-02 - CVE-2026-0021 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-0021
Vulnerability Analysis
This vulnerability is classified as CWE-441 (Unintended Proxy or Intermediary), commonly known as a "confused deputy" attack. The flaw resides in the hasInteractAcrossUsersFullPermission method within AppInfoBase.java, a core Android framework component responsible for managing application permissions across user profiles.
Android supports multiple user profiles on a single device, with each user's data and applications isolated from others. The INTERACT_ACROSS_USERS_FULL permission is a protected system-level permission that grants an application the ability to interact with all users on the device. The vulnerability occurs when the permission check logic incorrectly validates cross-user access requests, allowing an unprivileged application to act as a confused deputy and inherit elevated permissions it should not possess.
Root Cause
The root cause lies in improper permission validation within the hasInteractAcrossUsersFullPermission function. The method fails to properly verify the calling context when checking cross-user permissions, allowing a malicious application to exploit the trust relationship between system components. This confused deputy scenario enables the attacker's code to perform privileged operations by leveraging the permissions of a more privileged system service.
Attack Vector
The attack is conducted locally on the device and requires no user interaction. An attacker can exploit this vulnerability by crafting a malicious application that triggers the vulnerable code path in AppInfoBase.java. The application manipulates the permission checking logic to bypass cross-user restrictions, effectively gaining access to another user's profile data and privileges.
The attack leverages the confused deputy pattern where:
- A malicious application makes a request to a privileged system service
- The system service performs the cross-user permission check via the vulnerable hasInteractAcrossUsersFullPermission method
- Due to improper validation, the request is processed with elevated privileges
- The attacker gains unauthorized cross-user access without holding the required permissions
For detailed technical information, see the Android Security Bulletin March 2026.
Detection Methods for CVE-2026-0021
Indicators of Compromise
- Unusual cross-user data access patterns in Android system logs
- Applications attempting to access user profile data outside their designated user context
- Suspicious permission check failures or bypasses logged by the Android framework
- Unexpected inter-user communication from unprivileged applications
Detection Strategies
- Monitor Android logcat for anomalous permission check behavior in AppInfoBase components
- Implement application behavior analysis to detect unauthorized cross-user access attempts
- Deploy endpoint detection solutions capable of identifying confused deputy attack patterns on Android devices
- Review installed applications for suspicious permission requests or behaviors targeting multi-user functionality
Monitoring Recommendations
- Enable verbose logging for Android permission framework components
- Monitor for applications with unusual cross-user activity that lack INTERACT_ACROSS_USERS_FULL permission
- Implement security policies that alert on cross-user data access from non-system applications
- Regularly audit device logs for privilege escalation indicators
How to Mitigate CVE-2026-0021
Immediate Actions Required
- Apply the March 2026 Android security patch as soon as it becomes available for your device
- Review and audit installed applications for potentially malicious behavior
- Restrict sideloading of applications from untrusted sources
- Consider temporary removal of sensitive secondary user profiles until the patch is applied
Patch Information
Google has addressed this vulnerability in the March 2026 Android Security Bulletin. Users should update their devices to the latest security patch level dated 2026-03-01 or later. Device manufacturers and carriers will distribute updates according to their respective release schedules.
For official patch details and availability, refer to the Android Security Bulletin March 2026.
Workarounds
- Disable or remove secondary user profiles on shared devices until the patch is applied
- Limit application installations to verified sources such as the Google Play Store
- Enable Google Play Protect to scan for potentially harmful applications
- Use Mobile Device Management (MDM) solutions to enforce application restrictions on enterprise devices
# Check current Android security patch level
adb shell getprop ro.build.version.security_patch
# Verify the device is updated to 2026-03-01 or later
# If patch level is earlier, update through Settings > System > System update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
