CVE-2026-0034 Overview
CVE-2026-0034 is a local privilege escalation vulnerability in Google Android. The flaw resides in the setPackageOrComponentEnabled method of ManagedServices.java. Improper input validation causes a notification policy desync, enabling a local attacker to elevate privileges without user interaction. The vulnerability affects Android versions 14, 15, and 16, including multiple Android 16 QPR2 beta builds. Google addressed the issue in the March 2026 Android Security Bulletin. The weakness is classified under [CWE-20] Improper Input Validation.
Critical Impact
A local application can desynchronize notification policy state to gain elevated privileges on the device without requiring additional execution privileges or user interaction.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-03-02 - CVE-2026-0034 published to NVD
- 2026-03-06 - Last updated in NVD database
Technical Details for CVE-2026-0034
Vulnerability Analysis
The vulnerability exists in the setPackageOrComponentEnabled method of ManagedServices.java, a core Android framework component that manages bound services such as notification listeners and notification policy access services. The method fails to properly validate inputs that govern enable or disable transitions for managed service components. As a result, the cached notification policy state inside the system server can drift out of sync with the actual component enablement status.
This desynchronization creates a logic inconsistency. A component that should not hold notification access retains effective policy privileges, or a malicious caller can manipulate the enablement path to acquire privileges associated with a different package. The flaw is local in nature, but it does not require user interaction and does not require prior privileges beyond standard app installation.
Root Cause
The root cause is improper input validation [CWE-20] in setPackageOrComponentEnabled. The method does not sufficiently verify the relationship between the package, component, and the caller before mutating internal managed-services state. The internal data structures tracking approved notification services and the platform package manager state can diverge, producing a privilege boundary violation.
Attack Vector
Exploitation requires local access through a malicious or compromised application. The attacker invokes the affected code path to trigger the policy desync, then leverages the inconsistent state to obtain capabilities reserved for privileged notification services. No user prompt, accessibility grant, or additional permission elevation step is required. Because no verified public proof-of-concept is available and the EPSS probability is low, active exploitation has not been reported.
No verified exploit code is available for this issue. Refer to the Android Security Bulletin March 2026 for vendor-supplied technical details.
Detection Methods for CVE-2026-0034
Indicators of Compromise
- Applications gaining notification listener or notification policy access without a corresponding user grant in Settings.
- Discrepancies between NotificationManager policy state and the list of enabled components reported by PackageManager.
- Unexpected entries in the persisted managed-services XML state under /data/system/users/<id>/.
Detection Strategies
- Audit installed applications for those invoking notification access APIs shortly after installation or update.
- Compare the runtime set of approved notification services against the user-approved list captured during provisioning.
- Monitor logcat for anomalous ManagedServices enable/disable transitions originating from non-system UIDs.
Monitoring Recommendations
- Enforce mobile device management (MDM) policies that flag devices missing the March 2026 Android security patch level.
- Collect application install telemetry and correlate with subsequent notification access changes.
- Track Android Security Patch Level (SPL) across the managed fleet and alert on devices below 2026-03-01.
How to Mitigate CVE-2026-0034
Immediate Actions Required
- Apply the March 2026 Android security patch (SPL 2026-03-01 or later) on all Android 14, 15, and 16 devices.
- For devices on Android 16 QPR2 beta builds, move to the patched QPR2 release or a stable channel build that includes the fix.
- Restrict sideloading and enforce Google Play Protect on managed devices to reduce exposure to malicious local apps.
Patch Information
Google published the fix in the Android Security Bulletin March 2026. Device manufacturers (OEMs) ship the corresponding AOSP changes through their monthly security update channels. Verify the device security patch level in Settings under About phone after the update is applied.
Workarounds
- Limit application installation to vetted sources and enforce enterprise app allow-listing through MDM.
- Review and revoke notification listener and notification policy access for any application that does not require it.
- Disable beta channel enrollment on production fleets until devices receive the patched build.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-03-01 or later
# List packages with notification listener access
adb shell settings get secure enabled_notification_listeners
# List packages granted notification policy access
adb shell cmd notification allowed_listeners
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
