Skip to main content
CVE Vulnerability Database

CVE-2026-0077: Google Android Privilege Escalation Flaw

CVE-2026-0077 is a privilege escalation vulnerability in Google Android caused by a logic error in ActivityRecord.java. Attackers can exploit this flaw to gain elevated privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0077 Overview

CVE-2026-0077 is a local privilege escalation vulnerability in the Android Activity Manager. The flaw resides in the resumeConfigurationDispatch method of ActivityRecord.java. A logic error allows a background application to launch activities without holding the required permissions, bypassing Android's background activity launch (BAL) restrictions.

Google disclosed the issue in the June 2026 Android Security Bulletin. Exploitation requires local access and low privileges but no user interaction. Successful exploitation yields local escalation of privilege without additional execution privileges.

Critical Impact

A malicious local application can bypass background activity launch restrictions and escalate privileges on affected Android 16.0 QPR2 beta builds.

Affected Products

  • Google Android 16.0 QPR2 Beta 1
  • Google Android 16.0 QPR2 Beta 2
  • Google Android 16.0 QPR2 Beta 3

Discovery Timeline

  • 2026-06-01 - Google publishes Android Security Bulletin addressing CVE-2026-0077
  • 2026-06-01 - CVE-2026-0077 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0077

Vulnerability Analysis

The vulnerability is classified under [CWE-693] Protection Mechanism Failure. Android enforces background activity launch (BAL) restrictions to prevent backgrounded applications from drawing UI elements over foreground processes. These restrictions defend against tapjacking, phishing overlays, and unauthorized activity transitions.

The resumeConfigurationDispatch routine in ActivityRecord.java contains a logic error that fails to consistently apply BAL checks during configuration change dispatch. A background process can leverage this code path to start an activity it would otherwise be prevented from launching.

Because the launched activity inherits visibility and focus, it can present UI to the user, harvest input, or transition into more privileged components within the same process boundary.

Root Cause

The root cause is an inconsistent enforcement check inside resumeConfigurationDispatch. The method resumes activities during configuration updates without re-validating whether the calling process satisfies BAL requirements. This represents a protection mechanism failure rather than a memory safety defect.

Attack Vector

The attack vector is local. A malicious application installed on the device can trigger a configuration dispatch sequence from the background to invoke the vulnerable code path. No user interaction is required, and the calling process only needs standard application privileges.

Verified proof-of-concept code is not publicly available. Refer to the Android Security Bulletin June 2026 for technical references and patch metadata.

Detection Methods for CVE-2026-0077

Indicators of Compromise

  • Unexpected foreground activity launches originating from applications that were recently backgrounded or stopped.
  • Installed third-party applications targeting Android 16 QPR2 beta builds with components that listen for configuration change broadcasts.
  • Activity transitions logged in ActivityTaskManager without a corresponding user-initiated event.

Detection Strategies

  • Review logcat output from ActivityTaskManager and ActivityManager for START_ACTIVITY events sourced from background UIDs.
  • Use Android Runtime mobile threat defense agents to flag applications that issue activity launches outside the standard foreground lifecycle.
  • Audit applications installed on QPR2 beta devices and correlate package install times with anomalous UI overlay events.

Monitoring Recommendations

  • Enroll developer and beta-channel devices in mobile device management with telemetry forwarding to a centralized SIEM.
  • Alert on the appearance of overlay activities while the device screen state indicates the user is interacting with another foreground application.
  • Track Android build fingerprints across the fleet to identify devices still running unpatched QPR2 beta images.

How to Mitigate CVE-2026-0077

Immediate Actions Required

  • Update all Android 16.0 QPR2 beta devices to the June 2026 security patch level or later.
  • Remove untrusted third-party applications from devices running affected beta builds.
  • Restrict enrollment in the Android Beta Program to devices that do not handle sensitive corporate data.

Patch Information

Google released a fix in the June 2026 Android Security Bulletin. Devices reporting a security patch level of 2026-06-01 or later contain the corrected resumeConfigurationDispatch logic. Refer to the Android Security Bulletin June 2026 for build identifiers and OTA package details.

Workarounds

  • Downgrade affected devices from the QPR2 beta channel to the latest stable Android release until the patch is applied.
  • Apply mobile device management policies that block sideloading and restrict installation to vetted application sources.
  • Disable background execution for applications that do not require it through the per-application battery optimization settings.
bash
# Verify the security patch level on an Android device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

# List installed third-party packages for review
adb shell pm list packages -3

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.