CVE-2026-0046 Overview
CVE-2026-0046 is a tapjacking vulnerability in the InputInterceptor component of Letterbox.java in Google Android. An attacker can overlay a malicious UI element above a legitimate permission prompt, tricking users into granting permissions they did not intend to approve. The flaw enables local privilege escalation without requiring additional execution privileges. The vulnerability affects Android 14, 15, and 16, and is tracked under [CWE-269] (Improper Privilege Management).
Critical Impact
Local privilege escalation through UI redress, allowing malicious apps to obtain elevated permissions without informed user consent.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0
Discovery Timeline
- 2026-06-01 - CVE CVE-2026-0046 published to NVD
- 2026-06-01 - Google publishes Android Security Bulletin June 2026
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0046
Vulnerability Analysis
The defect resides in the InputInterceptor class within Letterbox.java, part of the Android Window Manager subsystem responsible for handling letterboxed applications on devices with varying aspect ratios. The component fails to enforce sufficient input validation against overlay windows drawn on top of system permission dialogs. A malicious application can therefore present a deceptive UI element that intercepts or obscures the touch context of a sensitive permission grant.
User interaction is not required for the exploitation chain itself to begin, although the user must ultimately tap the spoofed interface element for the privilege uplift to succeed. Because Android treats the underlying tap as a legitimate response to the permission prompt, the attacker receives elevated permissions silently. This category of issue is commonly referred to as tapjacking or UI redress.
Root Cause
The root cause is improper privilege management [CWE-269] within the letterbox input handling path. The InputInterceptor does not adequately verify whether overlay windows obscure security-critical surfaces such as runtime permission dialogs. This breaks the trusted input invariant that Android relies on to gate permission grants.
Attack Vector
Exploitation requires a locally installed malicious application. The app draws an overlay window timed to coincide with a permission prompt produced by another app or system flow. When the user taps what appears to be a benign UI control, the tap is delivered to the underlying permission dialog, granting elevated capabilities to the attacker-controlled component. No remote attack vector exists, and no additional execution privileges are required beyond standard app installation.
No public proof-of-concept code has been published for this issue. Refer to the Android Security Bulletin June 2026 for vendor technical details.
Detection Methods for CVE-2026-0046
Indicators of Compromise
- Installed applications requesting the SYSTEM_ALERT_WINDOW permission without a clear functional need.
- Unexpected permission grants to recently installed third-party applications, particularly dangerous-level permissions such as location, microphone, or accessibility.
- Overlay activity correlated in time with system permission dialogs in device logs.
Detection Strategies
- Audit installed applications on managed Android fleets for use of overlay-related permissions and accessibility services.
- Inspect logcat traces and WindowManager events for overlay windows displayed concurrently with permission prompt activities.
- Use mobile threat defense telemetry to identify apps exhibiting tapjacking patterns or sideloaded packages from untrusted sources.
Monitoring Recommendations
- Track Android OS patch level across managed endpoints and flag devices below the June 2026 security patch level.
- Monitor enterprise application catalogs for newly published apps requesting overlay or accessibility privileges.
- Alert on privilege changes to apps shortly after installation, especially when paired with overlay permission usage.
How to Mitigate CVE-2026-0046
Immediate Actions Required
- Apply the June 2026 Android security patch level on all affected Android 14, 15, and 16 devices.
- Restrict sideloading and enforce installation only from vetted application stores via mobile device management policy.
- Review and revoke SYSTEM_ALERT_WINDOW and accessibility permissions from non-essential applications.
Patch Information
Google addressed the vulnerability in the June 2026 Android security patch. Device owners should install updates that report the 2026-06-01 security patch level or later. Full details are provided in the Android Security Bulletin June 2026.
Workarounds
- Disable the Display over other apps capability for untrusted applications under Settings > Apps > Special app access.
- Enforce a mobile device management policy that blocks installation of apps requesting overlay permissions outside an approved list.
- Educate users to dismiss unexpected overlays before interacting with permission prompts and to verify the source of any permission dialog.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

