Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0081

CVE-2026-0081: Google Android Privilege Escalation Flaw

CVE-2026-0081 is a privilege escalation vulnerability in Google Android NFC that allows attackers to spoof NFC events due to missing permission checks. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-0081 Overview

CVE-2026-0081 is a missing authorization vulnerability in the Near Field Communication (NFC) component of Google Android 17.0. The flaw stems from an absent permission check that allows an attacker to spoof an NFC event. Successful exploitation leads to local escalation of privilege without requiring additional execution privileges or user interaction. The vulnerability is tracked under [CWE-862] (Missing Authorization) and is documented in the Android Security Bulletin.

Critical Impact

An unauthenticated actor can spoof NFC events to escalate privileges on affected Android 17.0 devices with no user interaction required.

Affected Products

  • Google Android 17.0
  • Devices running the Android 17 NFC stack
  • OEM builds derived from Android 17.0 prior to the security patch

Discovery Timeline

  • 2026-06-17 - CVE-2026-0081 published to the National Vulnerability Database
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-0081

Vulnerability Analysis

The vulnerability resides in the Android NFC subsystem within Android 17.0. A required permission check is missing along a code path that processes NFC events. As a result, an unprivileged caller can deliver a crafted event that the NFC service treats as authentic. The flaw maps to [CWE-862] Missing Authorization, where the affected entry point fails to verify the caller's permissions before acting on the request.

The outcome is local privilege escalation. An attacker leveraging the spoofed NFC event can perform actions that should be restricted to privileged components or the platform itself. According to the NVD record, exploitation does not require user interaction and no additional execution privileges are needed beyond the ability to invoke the affected interface. The current EPSS probability is 0.148%, reflecting low observed exploitation activity at publication time.

Root Cause

The root cause is the absence of a permission enforcement step in the NFC event handling path. Android components normally gate sensitive operations using checkPermission calls, signature-level permissions, or UID checks. In the affected code path, this gate is not present, allowing any caller that can reach the interface to inject an event that the system trusts.

Attack Vector

A local attacker with the ability to invoke the exposed NFC interface crafts a spoofed event. Because the service does not validate the caller's authorization, the event is accepted and processed with the privileges of the NFC system component. The attacker uses this trust boundary violation to perform operations that would otherwise be denied, achieving privilege escalation on the device.

No public proof-of-concept code or exploit has been released. The vulnerability is described in prose only; see the Android Security Bulletin for vendor technical details.

Detection Methods for CVE-2026-0081

Indicators of Compromise

  • Unexpected invocations of NFC service APIs originating from non-system or unprivileged UIDs in logcat and dumpsys nfc output.
  • Anomalous NFC event broadcasts received by privileged receivers without a corresponding physical tag interaction.
  • Installation or execution of apps that request NFC-related interfaces but have no legitimate NFC functionality.

Detection Strategies

  • Audit Android build fingerprints across the fleet to identify devices on Android 17.0 that have not received the corresponding security patch level.
  • Use Mobile Device Management (MDM) telemetry to flag devices reporting NFC service errors or unexpected NFC event activity.
  • Review application manifests and runtime behavior for processes interacting with NFC interfaces in unusual ways.

Monitoring Recommendations

  • Forward Android security logs and MDM compliance events to a centralized SIEM for correlation against the published Android security patch level.
  • Monitor for newly sideloaded applications on managed Android 17 devices, since local code execution is a prerequisite for spoofing the NFC event.
  • Track Android Security Bulletin updates and align device patch SLAs to the monthly release cadence.

How to Mitigate CVE-2026-0081

Immediate Actions Required

  • Apply the Android 17 security patch referenced in the Android Security Bulletin on all managed devices.
  • Enforce a minimum Android security patch level policy through MDM, blocking access to corporate resources for non-compliant devices.
  • Restrict installation of unknown or sideloaded applications on Android 17.0 devices until patches are deployed.

Patch Information

Google has published a fix as part of the Android 17 security bulletin. Device manufacturers integrate the patch into their monthly security patch level updates. Administrators should confirm that managed devices report a patch level on or after the bulletin date that includes CVE-2026-0081. Reference: Android Security Bulletin.

Workarounds

  • Disable NFC on devices that do not require it through MDM policy until the patch is applied.
  • Limit application installation to vetted enterprise app stores to reduce the population of local callers able to reach the NFC interface.
  • Segment NFC-enabled devices from sensitive enterprise resources until devices report a compliant patch level.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne