CVE-2026-0036 Overview
CVE-2026-0036 is a tapjacking vulnerability in the startAnimation method of StageCoordinator.java in Google Android. The flaw allows a malicious application to overlay UI elements on top of legitimate windows during animation transitions. An attacker with local code execution on the device can leverage this overlay condition to trick the system into performing privileged actions. Exploitation requires no user interaction and no additional execution privileges. The issue affects Android 14, Android 15, and Android 16 including the QPR2 Beta 1, Beta 2, and Beta 3 releases. Google addressed the issue in the June 2026 Android Security Bulletin.
Critical Impact
Local escalation of privilege through a tapjacking overlay attack against the Android window animation pipeline, with no user interaction required.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin addressing the issue
- 2026-06-01 - CVE-2026-0036 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-0036
Vulnerability Analysis
The vulnerability resides in the startAnimation routine of StageCoordinator.java, a component that orchestrates window transitions in the Android system UI. During the animation lifecycle, a malicious overlay window can be drawn on top of a sensitive system surface. The user perceives the overlay as part of the legitimate UI and interacts with attacker-controlled elements. The flaw is categorized under [CWE-1021] Improper Restriction of Rendered UI Layers or Frames. Because the issue is in system-level animation coordination, taps that the user believes are directed at a benign view are routed to privileged interfaces. The result is local privilege escalation with full impact on confidentiality, integrity, and availability of the affected device.
Root Cause
The root cause is missing enforcement of overlay restrictions while startAnimation transitions stage windows. The coordinator does not validate that no untrusted window is layered above a sensitive target before dispatching input events. This allows a local app to insert a tapjacking surface during the animation window.
Attack Vector
A local attacker installs an application that requests benign permissions, such as overlay or accessibility-adjacent capabilities. The application times an overlay draw to coincide with a StageCoordinator animation event. The overlay obscures the underlying privileged UI element while remaining click-through or proxying touches. Because user interaction with the device is normal behavior, the exploitation path does not require any explicit consent or interaction with a malicious prompt. No verified public exploit code is currently associated with this CVE. Refer to the Android Security Bulletin June 2026 for vendor technical detail.
Detection Methods for CVE-2026-0036
Indicators of Compromise
- Installation of applications that request SYSTEM_ALERT_WINDOW or TYPE_APPLICATION_OVERLAY without a clear UX justification.
- Applications drawing overlay surfaces that coincide with system UI transitions or privileged dialogs.
- Unexpected privilege state changes on the device shortly after launching a third-party application.
Detection Strategies
- Audit installed packages for SYSTEM_ALERT_WINDOW and accessibility-service usage and correlate with build fingerprint to identify unpatched devices.
- Inspect dumpsys window output for unexpected overlay window types layered above system surfaces.
- Monitor mobile device management (MDM) telemetry for Android security patch level below 2026-06-01.
Monitoring Recommendations
- Track the Android security patch level reported by enrolled devices and flag any device that has not advanced to the June 2026 patch level.
- Alert on sideloaded APKs that declare overlay permissions, particularly on managed corporate devices.
- Review enterprise app catalogs for packages making use of overlay APIs and validate their business need.
How to Mitigate CVE-2026-0036
Immediate Actions Required
- Apply the June 2026 Android security patch (2026-06-01 patch level) to all managed devices running Android 14, 15, or 16.
- Restrict installation of applications from unknown sources through MDM policy.
- Revoke SYSTEM_ALERT_WINDOW from any application that does not require overlay functionality.
Patch Information
Google released the fix as part of the Android Security Bulletin June 2026. Device manufacturers ship the corresponding patch level 2026-06-01 or later. Confirm the patch level under Settings → About phone → Android security update.
Workarounds
- Disable the overlay permission for non-essential applications through Settings → Apps → Special app access → Display over other apps.
- Enforce Google Play Protect scanning and block sideloading via enterprise policy until the patch is deployed.
- Segment high-value accounts to devices that report the 2026-06-01 patch level or later.
# Verify Android security patch level on a connected device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

