CVE-2026-0060 Overview
CVE-2026-0060 is a local denial of service vulnerability in Google Android. The flaw resides in the updateState method of GraphicsDriverEnableAngleAsSystemDriverController.java, a component that manages the ANGLE graphics driver as the system-wide OpenGL ES driver. A local attacker with low privileges can trigger a persistent denial of service condition without any user interaction. Google addressed the issue in the Android Security Bulletin June 2026.
Critical Impact
A local, low-privileged process can induce a persistent denial of service on affected Android devices, impacting graphics subsystem availability across Android 14, 15, and 16 builds.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0060
- 2026-06-01 - CVE-2026-0060 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-0060
Vulnerability Analysis
The vulnerability exists in GraphicsDriverEnableAngleAsSystemDriverController.java, specifically in the updateState routine. This controller is responsible for toggling ANGLE (Almost Native Graphics Layer Engine) as the system's OpenGL ES driver. When updateState processes an unexpected input or state condition, it persists a configuration that prevents the graphics driver subsystem from recovering normally. The result is a persistent local denial of service that survives across operations and may affect graphics-dependent functionality on the device.
Root Cause
The NVD entry classifies the root cause as NVD-CWE-noinfo, with Google describing it as a persistent DoS issue caused by an unusual condition. The defect allows the controller to commit a faulty state that the system continues to honor on subsequent operations. Because the affected state is persisted, simple process restarts do not restore service.
Attack Vector
Exploitation requires local access and low privileges on the device. No user interaction is needed. An attacker running code on the device can invoke the affected code path to push the graphics driver controller into a faulty persistent state. The scope is unchanged and the impact is limited to availability, with no confidentiality or integrity loss reported. The EPSS probability is 0.005%, reflecting a very low likelihood of opportunistic exploitation in the wild.
No public proof-of-concept or exploit code is available for CVE-2026-0060. Refer to the Android Security Bulletin June 2026 for vendor technical details.
Detection Methods for CVE-2026-0060
Indicators of Compromise
- Repeated crashes or unavailability of graphics-dependent applications and system surfaces following local app installation or update.
- Persistence of graphics subsystem failure across reboots, indicating committed state rather than transient fault.
- Unexpected modifications to ANGLE driver selection settings on Android 14, 15, or 16 devices.
Detection Strategies
- Monitor Android logcat output for repeated exceptions or state transitions originating in GraphicsDriverEnableAngleAsSystemDriverController.
- Inventory device fleets for Android builds predating the June 2026 security patch level and flag devices that have not received the update.
- Correlate user-reported graphics failures with recent local application activity to identify suspicious triggers.
Monitoring Recommendations
- Enforce mobile device management (MDM) policies that report Android security patch level and surface devices below the 2026-06-01 patch level.
- Track installation of unvetted third-party APKs on managed devices, as exploitation requires local code execution.
- Aggregate device crash telemetry into your SIEM or data lake to detect clusters of graphics subsystem failures across the fleet.
How to Mitigate CVE-2026-0060
Immediate Actions Required
- Apply the Android security patch level dated 2026-06-01 or later on all managed Android 14, 15, and 16 devices.
- Restrict installation of untrusted applications via MDM controls and Google Play Protect enforcement.
- Audit devices that cannot receive timely patches and consider replacement or restricted use.
Patch Information
Google released the fix in the Android Security Bulletin June 2026. Device builds carrying the 2026-06-01 security patch level or later contain the corrected updateState logic in GraphicsDriverEnableAngleAsSystemDriverController.java. OEM-specific delivery timelines vary; verify your device vendor has shipped the corresponding update.
Workarounds
- No vendor-published workaround exists; patching is the supported remediation.
- Limit local code execution exposure by blocking sideloading and enforcing application allowlists through MDM.
- For unpatched devices, restrict use to trusted applications and isolate them from sensitive workflows until the update is applied.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
