CVE-2026-0048 Overview
CVE-2026-0048 is a tapjacking/overlay vulnerability in the Android WindowState.java component. Attackers can trick users into approving sensitive permissions by overlaying deceptive UI elements on top of legitimate permission prompts. Successful exploitation leads to local privilege escalation without requiring additional execution privileges. The flaw is categorized under [CWE-269] Improper Privilege Management and affects Google Android versions 14, 15, and 16, including multiple Android 16 QPR2 beta releases.
Critical Impact
A locally installed malicious application can manipulate the Android window manager to obscure permission dialogs, causing users to unknowingly grant elevated privileges that the attacker app can then abuse.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - CVE-2026-0048 published to NVD
- 2026-06-01 - Android Security Bulletin June 2026 released by Google
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0048
Vulnerability Analysis
The vulnerability resides in the hide method of WindowState.java, a core component of the Android window management subsystem. The window manager fails to enforce proper visibility and z-order constraints when sensitive system dialogs are displayed. An attacker-controlled application can place an overlay window above a permission prompt while keeping the prompt interactive underneath. Users believe they are tapping a benign UI element but are actually approving permissions for the malicious app.
The issue is classified under [CWE-269] Improper Privilege Management. Exploitation requires local access through an installed application but does not require user interaction beyond the deceptive tap itself. The attack vector is local, complexity is low, and no privileges are needed by the attacking app to initiate the overlay sequence.
Root Cause
The root cause stems from missing or insufficient validation in the hide function within WindowState.java. The window state logic does not properly identify when a system permission UI element is partially or fully obscured by another application's window. Without this check, the platform allows attacker-drawn surfaces to coexist with sensitive dialogs, defeating the tapjacking protections introduced in prior Android releases.
Attack Vector
An attacker delivers a malicious application through sideloading or a third-party store. Once installed, the app requests the ability to draw overlays or leverages animations and transitions to render content above a permission prompt at the moment the system displays it. The user, believing they are interacting with the visible overlay, taps through and approves a permission the attacker requested in the background. The attacker gains capabilities such as access to contacts, location, storage, or accessibility services depending on the prompt that was obscured.
No public proof-of-concept code is available for this vulnerability. Refer to the Android Security Bulletin June 2026 for vendor-supplied technical details.
Detection Methods for CVE-2026-0048
Indicators of Compromise
- Applications requesting the SYSTEM_ALERT_WINDOW permission combined with rapid invocations of permission prompts shortly after install.
- Unexpected granting of high-risk runtime permissions such as accessibility services, SMS, or location to recently installed applications.
- Overlay windows rendered concurrently with system permission dialogs in WindowManager traces or bug reports.
Detection Strategies
- Audit installed applications for those declaring overlay-related permissions and correlate with recent permission grants in PackageManager logs.
- Monitor Android device logs for WindowState transitions occurring simultaneously with PermissionController UI events.
- Use mobile threat defense tooling to flag applications that abuse draw-over-other-apps capabilities or accessibility services.
Monitoring Recommendations
- Enroll devices in a mobile device management (MDM) solution that surfaces permission grants and overlay permission usage.
- Track Android security patch level (SPL) compliance across the fleet to confirm devices receive the June 2026 patch.
- Review enterprise app inventories for applications outside trusted distribution channels and revoke their overlay capabilities.
How to Mitigate CVE-2026-0048
Immediate Actions Required
- Apply the June 2026 Android security patch level on all managed devices running Android 14, 15, or 16.
- Restrict installation sources to Google Play and trusted enterprise stores via MDM policy.
- Revoke SYSTEM_ALERT_WINDOW and accessibility service permissions from applications that do not require them.
Patch Information
Google addressed CVE-2026-0048 in the Android Security Bulletin June 2026. Device manufacturers must integrate the patch into their respective firmware images and distribute it through over-the-air updates. Confirm the device security patch level reports 2026-06-01 or later after updating.
Workarounds
- Disable installation from unknown sources on all enterprise-managed Android devices until patches are deployed.
- Educate users to dismiss any unexpected permission prompts and to verify the requesting application before tapping approve.
- Limit use of Android 16 QPR2 beta builds in production environments until the fix is confirmed in a stable release.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

