Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0083

CVE-2026-0083: Google Android Privilege Escalation Flaw

CVE-2026-0083 is a privilege escalation vulnerability in Google Android caused by a use-after-free race condition in NFC components. Attackers can gain elevated privileges without user interaction. Learn the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0083 Overview

CVE-2026-0083 is a use-after-free vulnerability in the Nfc::eventCallback() function defined in Nfc.h within Google Android. The flaw is triggered by a race condition in the Near Field Communication (NFC) event handling path. Successful exploitation leads to local privilege escalation without requiring user interaction or additional execution privileges. The issue is tracked under CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization.

Critical Impact

A local attacker can escalate privileges on an affected Android 17 device by racing NFC event callbacks, with no user interaction required.

Affected Products

  • Google Android 17.0
  • Devices shipping the affected NFC stack referenced in the Android Security Bulletin
  • Builds prior to the patch level documented in the Android Security Bulletin #17

Discovery Timeline

  • 2026-06-17 - CVE-2026-0083 published to the National Vulnerability Database
  • 2026-06-18 - CVE-2026-0083 last modified in NVD

Technical Details for CVE-2026-0083

Vulnerability Analysis

The defect resides in Nfc::eventCallback() declared in Nfc.h. The callback processes NFC events but does not adequately synchronize access to shared objects across concurrent threads. A second thread can free an object while eventCallback() is still operating on a stale pointer, producing a classic use-after-free condition. Because the NFC stack runs with elevated privileges, dereferencing freed memory under attacker influence permits code execution in a privileged context. The result is local escalation of privilege from an unprivileged local process to a higher-privileged service.

Root Cause

The root cause is improper synchronization of shared state in the NFC event handler. The callback path lacks the locking or reference-counting required to keep an object alive for the duration of its use. When one thread releases the object while eventCallback() still references it, subsequent access reads or writes freed heap memory. This pattern aligns with [CWE-362] race conditions that lead to memory safety violations.

Attack Vector

Exploitation is local and requires no user interaction or prior privileges. An attacker with code execution on the device triggers NFC events in a tight loop while concurrently freeing the associated structures. Winning the race causes eventCallback() to operate on a dangling pointer. Controlled heap reuse then allows the attacker to substitute attacker-influenced data into the freed allocation, steering execution within the privileged NFC service. Refer to the Android Security Bulletin #17 for component-level details.

Detection Methods for CVE-2026-0083

Indicators of Compromise

  • Unexpected crashes or tombstone reports referencing the NFC service and Nfc::eventCallback()
  • SELinux denials originating from the NFC domain accessing memory or IPC interfaces outside policy
  • Repeated NFC service restarts logged by logd or system_server

Detection Strategies

  • Monitor Android tombstone and dropbox crash artifacts for signatures pointing to the NFC HAL and Nfc.h symbols
  • Inspect kernel and userland logs for rapid, repeated NFC adapter state transitions consistent with race condition probing
  • Correlate process telemetry showing unprivileged apps spawning workers that aggressively interact with NFC APIs

Monitoring Recommendations

  • Forward Android device logs and crash dumps to a centralized logging pipeline for retrospective analysis
  • Track installed application behavior for unusual NFC API usage from non-NFC-centric apps
  • Maintain device patch-level inventory to flag endpoints below the patch level listed in the Android Security Bulletin

How to Mitigate CVE-2026-0083

Immediate Actions Required

  • Apply the security patch level referenced in the Android Security Bulletin #17 as soon as it is available from the device OEM
  • Enforce mobile device management policies that block installation of untrusted applications until patching is complete
  • Audit installed applications that request NFC permissions and remove those without a legitimate business need

Patch Information

Google addresses CVE-2026-0083 in the Android 17 security bulletin. Device manufacturers integrate the fix into their monthly security patch level. Confirm the device reports the patch level published in the Android Security Bulletin #17 before considering remediation complete.

Workarounds

  • Disable NFC under Settings on devices that do not require the feature until patches are installed
  • Restrict sideloading and enforce Google Play Protect to limit local attacker code execution
  • Apply MDM controls to prevent installation of applications requesting the android.permission.NFC permission on sensitive devices
bash
# Verify the current Android security patch level on a device
adb shell getprop ro.build.version.security_patch

# Disable NFC via MDM or local settings (example using settings CLI)
adb shell settings put global nfc_on 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne