Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0082

CVE-2026-0082: Google Android Privilege Escalation Flaw

CVE-2026-0082 is a privilege escalation vulnerability in Google Android's NfcDispatcher component that allows automatic special app access permission assignment. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-0082 Overview

CVE-2026-0082 is a local privilege escalation vulnerability in the Android Near Field Communication (NFC) subsystem. The flaw resides in the tryStartActivity method of NfcDispatcher.java, where an insecure default value enables automatic assignment of special app access permissions. An attacker can obtain elevated permissions without additional execution privileges and without user interaction. The vulnerability is classified under [CWE-453: Insecure Default Variable Initialization].

Critical Impact

Automatic special app access permission assignment allows local privilege escalation on Android 17 devices without user interaction or additional execution privileges.

Affected Products

  • Google Android 17.0
  • Devices running the Android 17 NFC stack with NfcDispatcher.java
  • Android distributions inheriting the unpatched AOSP NFC component

Discovery Timeline

  • 2026-06-17 - CVE-2026-0082 published to the National Vulnerability Database (NVD)
  • 2026-06-18 - Last updated in NVD database
  • Android Security Bulletin #17 - Published by Google with patch information

Technical Details for CVE-2026-0082

Vulnerability Analysis

The vulnerability exists in tryStartActivity within NfcDispatcher.java, the component responsible for routing NFC tag and message events to handler activities. An insecure default value in the dispatcher logic causes the system to grant special app access permissions automatically when an activity is started through NFC dispatch. This bypasses the standard permission review flow that normally requires explicit user consent.

Because the dispatcher operates with system-level privileges, any activity it launches inherits elevated trust. The flaw enables a local attacker to escalate from an unprivileged context to a position holding sensitive special app access rights. No user interaction is required during exploitation.

Root Cause

The root cause is an insecure default variable initialization [CWE-453] in NfcDispatcher.java. The default value for a permission-governing field permits automatic privilege assignment instead of defaulting to a deny state. Secure-by-default design requires that special access permissions remain off until explicit authorization occurs.

Attack Vector

A local attacker triggers the vulnerable code path through an NFC-initiated activity start. The dispatcher applies the insecure default and assigns special app access permissions to the targeted application. The attacker then uses these permissions to perform actions normally restricted to system or user-approved applications.

No verified public proof-of-concept code is available. Refer to the Android Security Bulletin #17 for vendor-supplied technical details.

Detection Methods for CVE-2026-0082

Indicators of Compromise

  • Unexpected grants of special app access permissions to non-system applications shortly after NFC tag dispatch events
  • Activity launches originating from NfcDispatcher followed by permission state changes in appops or PackageManager logs
  • Installed applications acquiring sensitive permissions without a corresponding user-facing consent dialog

Detection Strategies

  • Audit logcat output for NfcDispatcher.tryStartActivity invocations correlated with permission modifications
  • Inspect device permission state using adb shell dumpsys package and adb shell cmd appops get for anomalous grants
  • Compare baseline permission inventories before and after NFC interactions on test devices

Monitoring Recommendations

  • Forward Android device logs and mobile threat defense telemetry into a centralized analytics platform for correlation
  • Alert on changes to special app access categories such as device admin, accessibility, or notification listener bindings
  • Track Android build fingerprints across the fleet to identify devices still running unpatched Android 17 builds

How to Mitigate CVE-2026-0082

Immediate Actions Required

  • Apply the Android security update referenced in Android Security Bulletin #17 as soon as the OEM makes it available
  • Inventory devices on Android 17.0 and prioritize patch deployment through mobile device management (MDM)
  • Review installed applications for unexpected special app access grants and revoke any that are unauthorized

Patch Information

Google has issued a fix as part of the Android 17 security bulletin. Device vendors integrate the fix into their monthly security patch level. Confirm that devices report the patch level associated with Android Security Bulletin #17 or later.

Workarounds

  • Disable NFC on affected devices until the security patch is installed, using device settings or MDM policy
  • Restrict installation of untrusted applications through Google Play Protect and enterprise application allowlists
  • Enforce baseline permission policies via MDM to detect and remediate unauthorized special app access grants

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne