CVE-2026-0063 Overview
CVE-2026-0063 is a privilege escalation vulnerability in Google Android 17.0. The flaw resides in the setAllowedCarriers method of PhoneInterfaceManager.java. A logic error in this telephony component allows an attacker to disable carrier restrictions on the device. Exploitation results in local escalation of privilege without requiring additional execution privileges or user interaction. The weakness is tracked under CWE-269: Improper Privilege Management.
Critical Impact
An attacker can bypass carrier restriction enforcement on Android 17.0 devices, undermining a security boundary that controls which carriers a device may use. No user interaction is required.
Affected Products
- Google Android 17.0
- PhoneInterfaceManager.java telephony component
- Devices running affected Android 17 builds prior to the June 2026 security patch level
Discovery Timeline
- 2026-06-17 - CVE-2026-0063 published to the National Vulnerability Database (NVD)
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-0063
Vulnerability Analysis
The vulnerability exists in the setAllowedCarriers method within PhoneInterfaceManager.java, a core Android telephony service component. Carrier restrictions are a device security control that defines which mobile network operators are permitted on a given handset. The method contains a logic error in how it validates or enforces caller privileges before applying changes to allowed-carrier configuration. As a result, a local actor without elevated privileges can manipulate the allowed-carrier list, effectively disabling the restriction policy.
Because PhoneInterfaceManager runs within a privileged system process, successful exploitation grants the attacker the ability to influence telephony state from an unprivileged context. This crosses a documented security boundary and constitutes local privilege escalation as defined by Google's Android severity guidelines.
Root Cause
The root cause is improper privilege management ([CWE-269]) inside the setAllowedCarriers code path. The method's permission or caller-identity check is logically flawed, permitting invocations that should be rejected. Carrier restriction state is consequently modified outside of the intended trust model.
Attack Vector
Exploitation occurs locally on the device through the telephony binder interface exposed by PhoneInterfaceManager. An attacker with the ability to run unprivileged code on the device, such as via a malicious application, can invoke the vulnerable API path. User interaction is not required. Refer to the Android Security Bulletin #17 for vendor-supplied technical details.
Detection Methods for CVE-2026-0063
Indicators of Compromise
- Unexpected changes to carrier restriction configuration on devices running Android 17.0
- Applications without MODIFY_PHONE_STATE or carrier-privilege permissions invoking telephony manager APIs related to allowed carriers
- Devices reporting a security patch level earlier than the June 2026 Android Security Bulletin fix
Detection Strategies
- Inventory mobile fleet build fingerprints and flag Android 17.0 devices missing the June 2026 patch level
- Use mobile device management (MDM) attestation to compare current carrier-allow-list state against the enrolled baseline
- Review installed application permission grants and runtime telephony API usage on managed Android 17 devices
Monitoring Recommendations
- Forward MDM compliance and patch-level telemetry into a centralized SIEM for continuous visibility
- Alert on Android 17.0 endpoints that remain unpatched beyond the organization's remediation SLA
- Monitor logcat telephony events on test devices for anomalous setAllowedCarriers invocations during application vetting
How to Mitigate CVE-2026-0063
Immediate Actions Required
- Apply the Android security patch level published in the Android Security Bulletin #17 to all Android 17.0 devices
- Enforce patch-level compliance through MDM and block non-compliant devices from sensitive corporate resources
- Restrict sideloading and require application installation only from vetted sources
Patch Information
Google has addressed CVE-2026-0063 in the Android 17 security bulletin. Device manufacturers ship the fix via their monthly security patch updates tied to the bulletin's patch level. Consult the Android Security Bulletin #17 for the exact patch level string and per-OEM availability.
Workarounds
- No vendor-supplied workaround is available; apply the official patch as soon as the device manufacturer makes it available
- Limit exposure by removing untrusted applications and enforcing application allow-listing through MDM until the patch is deployed
- For high-risk users, temporarily restrict use of unpatched Android 17.0 devices for sensitive telephony or carrier-dependent workflows
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

