Skip to main content
CVE Vulnerability Database

CVE-2026-0061: Google Android Privilege Escalation Flaw

CVE-2026-0061 is a privilege escalation vulnerability in Google Android caused by a tapjacking/overlay attack in WindowState.java. Attackers can trick users into granting permissions without interaction. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0061 Overview

CVE-2026-0061 is a tapjacking and overlay vulnerability in Android's WindowState.java component. The flaw allows a malicious application to trick users into granting permissions through deceptive UI overlays. Successful exploitation results in local privilege escalation without requiring additional execution privileges. The vulnerability is classified under [CWE-1021: Improper Restriction of Rendered UI Layers or Frames].

The issue affects multiple Android releases including versions 14, 15, and 16, including several Quarterly Platform Release (QPR) beta builds. Google addressed the flaw in the June 2026 Android Security Bulletin.

Critical Impact

A local attacker can leverage UI overlay deception to obtain permissions the user did not intend to grant, leading to local privilege escalation on affected Android devices.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing the issue
  • 2026-06-01 - CVE-2026-0061 published to the National Vulnerability Database (NVD)
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0061

Vulnerability Analysis

The vulnerability resides in multiple functions of WindowState.java, a core component of the Android Window Manager responsible for tracking window state and trust attributes. The flaw enables a tapjacking or overlay attack, where a malicious app draws content on top of legitimate permission dialogs or system UI elements. The user, believing they are interacting with the visible (attacker-controlled) UI, instead taps through to a hidden permission prompt beneath it.

Because Android grants permissions based on user touch events on the underlying window, the layered overlay tricks the system into treating the user's tap as informed consent. Granted permissions may include access to sensitive APIs, runtime capabilities, or device functions that elevate the malicious app's effective privileges.

Root Cause

The root cause is insufficient validation of overlay window trust and visibility when sensitive permission UI is displayed. WindowState.java does not adequately enforce the conditions under which touch events should be filtered or blocked when another window obscures the security-relevant view. This category of flaw is captured by [CWE-1021], which covers improper restriction of rendered UI frames and overlays.

Attack Vector

The attack requires a local installed application but no user interaction beyond ordinary device use, and no special execution privileges. The attacker app requests the ability to draw overlays (or abuses a permitted overlay surface) and positions deceptive UI atop a permission consent dialog. When the user taps the visible decoy element, the touch reaches the obscured permission grant button.

The vulnerability manifests in the window state and overlay handling logic. See the Android Security Bulletin June 2026 for component-level technical details.

Detection Methods for CVE-2026-0061

Indicators of Compromise

  • Installed applications holding the SYSTEM_ALERT_WINDOW permission that also request sensitive runtime permissions in close temporal proximity.
  • Unexpected permission grants recorded in PackageManager logs without corresponding visible user prompts.
  • Apps drawing full-screen or strategically positioned overlay windows during sensitive system interactions.

Detection Strategies

  • Audit installed applications on managed devices for use of overlay-related permissions combined with sensitive runtime permissions.
  • Review enterprise mobility management (EMM) telemetry for apps that activate overlay windows immediately before permission grant events.
  • Inspect Android security logs for windows flagged with overlay attributes during permission dialog presentation.

Monitoring Recommendations

  • Monitor Android appops records for SYSTEM_ALERT_WINDOW usage patterns across the fleet.
  • Track installations from sideloaded or non-Play Store sources, which present higher overlay-abuse risk.
  • Forward mobile device telemetry to a centralized analytics platform to correlate overlay activity with privilege changes.

How to Mitigate CVE-2026-0061

Immediate Actions Required

  • Apply the June 2026 Android security patch level on all affected Android 14, 15, and 16 devices.
  • Remove or restrict applications that hold SYSTEM_ALERT_WINDOW without a clear business justification.
  • Enforce update compliance through EMM or mobile device management (MDM) policies before allowing access to corporate resources.

Patch Information

Google released a fix in the June 2026 Android Security Bulletin. Device manufacturers ship the corresponding security patch level through their standard update channels. Refer to the Android Security Bulletin June 2026 for full patch details and source code references.

Workarounds

  • Disable the "Display over other apps" permission for non-essential applications via Settings > Apps > Special app access.
  • Restrict sideloading and enforce installation only from vetted enterprise or Play Store sources.
  • Educate users to dismiss unexpected overlays before interacting with permission prompts and to verify the active app before tapping consent dialogs.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.