Skip to main content
CVE Vulnerability Database

CVE-2026-0087: Google Android Privilege Escalation Flaw

CVE-2026-0087 is a privilege escalation vulnerability in Google Android that allows attackers to hijack app links without user interaction. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-0087 Overview

CVE-2026-0087 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in the approvalLevelForDomainInternal method of DomainVerificationService.java, where a logic error allows an attacker to hijack an arbitrary app link. A malicious local app can claim verified ownership of a domain it does not legitimately control, redirecting URL handling away from the genuine application. Exploitation requires no user interaction and no additional execution privileges beyond those granted to a standard installed app. Google disclosed the issue in the Android Security Bulletin for June 2026, affecting Android versions 14, 15, and 16, including multiple QPR2 beta builds.

Critical Impact

Local apps can hijack arbitrary verified app links, redirecting sensitive URL intents such as banking, email, or authentication callbacks to attacker-controlled components.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0087
  • 2026-06-01 - CVE-2026-0087 published to the National Vulnerability Database
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0087

Vulnerability Analysis

The vulnerability is classified as a Protection Mechanism Failure [CWE-693] in the Android DomainVerificationService. This service determines which installed application should automatically handle a given web link based on Digital Asset Links verification. The approvalLevelForDomainInternal method computes the approval level the system assigns to an app for a particular domain.

A logic error in that approval calculation lets a malicious app obtain a higher approval level than it should be eligible for. When Android resolves an intent for a verified domain, it selects the app with the highest approval level. The flawed logic causes the system to prefer the malicious app over the legitimate, properly verified app, achieving app link hijacking.

Because app links often carry sensitive data such as OAuth authorization codes, password reset tokens, magic login links, and deep links into banking or messaging applications, the impact extends beyond simple UI redirection into credential and session theft.

Root Cause

The root cause is incorrect domain approval evaluation inside approvalLevelForDomainInternal. The method fails to properly enforce the precedence rules that protect previously verified domain ownership, allowing an unverified or weaker claim to outrank a stronger one. This breaks the security guarantee that App Links verified through Digital Asset Links cannot be silently overridden by another installed application.

Attack Vector

The attack vector is local. An attacker must first deliver a malicious application to the target device through sideloading, a third-party store, or a malicious app on the Google Play ecosystem. Once installed, the app declares intent filters for the targeted domain. By triggering the flawed approval path in DomainVerificationService, the malicious package becomes the default handler for that domain without user prompts. Subsequent intents for the hijacked domain, including those generated by the browser or other apps, are routed to the attacker's components. No user interaction beyond installing the malicious app is required.

Verified proof-of-concept code is not publicly available. See the Android Security Bulletin June 2026 for the official technical references.

Detection Methods for CVE-2026-0087

Indicators of Compromise

  • Newly installed third-party applications declaring intent filters for domains they do not own, particularly financial, identity provider, or enterprise SaaS domains.
  • Unexpected changes in the output of adb shell pm get-app-links <package> showing verified or selected status for domains that should belong to other apps.
  • Multiple packages claiming autoVerify="true" for the same high-value domain on a single device.

Detection Strategies

  • Audit installed APKs for AndroidManifest.xml intent filters that target sensitive domains belonging to other vendors.
  • Compare per-device domain verification state against an expected baseline maintained by mobile device management (MDM) tooling.
  • Hunt for apps with low install counts or unsigned origins that request autoVerify on common authentication or banking domains.

Monitoring Recommendations

  • Forward mobile EDR and MDM telemetry into a central data lake and alert on package installations that register verified domains overlapping with corporate or financial brands.
  • Monitor Android OS patch levels across the fleet and flag devices that remain on pre-June 2026 security patch levels.
  • Track redirect anomalies in identity provider logs, such as OAuth callbacks completing from unexpected user-agents shortly after a new app install on a managed device.

How to Mitigate CVE-2026-0087

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all Android 14, 15, and 16 devices.
  • Remove Android 16 QPR2 beta builds from production use until they receive the corresponding fix.
  • Uninstall untrusted or sideloaded applications from managed devices and restrict installation sources via MDM policy.
  • Re-verify domain handler assignments for sensitive applications after patching.

Patch Information

Google addressed CVE-2026-0087 in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the fix to DomainVerificationService.java. OEM rollout timing varies, so administrators should validate the patch level on each device model rather than relying solely on the Android major version.

Workarounds

  • Enforce Google Play Protect and block installation from unknown sources through MDM configuration.
  • Use Android Enterprise work profiles to restrict which apps can register intent filters for corporate domains.
  • For high-value web flows, prefer custom tabs or in-app browsers over implicit intents until all fleet devices are patched.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.