Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0092

CVE-2026-0092: Google Android Privilege Escalation Flaw

CVE-2026-0092 is a privilege escalation vulnerability in Google Android's Package Manager that allows attackers to bypass device lock controls. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-0092 Overview

CVE-2026-0092 is a missing authorization vulnerability [CWE-862] in the Android Package Manager component. The flaw allows a local attacker to bypass the device lock controller because a required permission check is absent. Exploitation results in local escalation of privilege without requiring additional execution privileges. User interaction is not needed, which lowers the barrier for abuse by malicious applications already installed on the device. Google addressed the issue in the Android 17 security bulletin. The affected platform is Google Android version 17.0.

Critical Impact

A local attacker can bypass the device lock controller and escalate privileges on an Android 17 device with no user interaction required.

Affected Products

  • Google Android 17.0
  • Android Package Manager component on affected builds
  • Devices that have not applied the Android 17 security bulletin patches

Discovery Timeline

  • 2026-06-17 - CVE-2026-0092 published to the National Vulnerability Database
  • 2026-06-18 - Entry last modified in NVD

Technical Details for CVE-2026-0092

Vulnerability Analysis

The vulnerability resides in the Android Package Manager, the system service responsible for installing, updating, and managing application packages and their permissions. A code path that interacts with the device lock controller lacks the required permission check before performing a privileged operation. An unprivileged local caller can reach this path and influence device lock controller behavior that should be restricted to privileged system components.

Because the check is missing rather than incorrectly implemented, no cryptographic bypass, memory corruption, or timing condition is involved. The exploitation pattern matches classic missing-authorization weaknesses tracked under [CWE-862]. The result is local privilege escalation, which can be used to weaken device management controls or to pivot toward further compromise of user data and system state.

Root Cause

The Package Manager fails to verify that the caller holds the permission required to invoke a device lock controller operation. Android relies on checkCallingPermission or enforceCallingPermission style guards to restrict sensitive APIs to privileged callers. When such a guard is omitted, any process running on the device can invoke the affected operation through standard binder IPC.

Attack Vector

A malicious application installed on the device, or any local code with the ability to issue binder calls, can invoke the unprotected Package Manager API. No user interaction, social engineering step, or additional exploit chain is required. The attacker reaches the device lock controller surface directly through the missing-check path and obtains capabilities normally reserved for system components.

No verified public proof-of-concept code is available. Technical specifics will appear in the Android Security Bulletin 17 and associated AOSP commits once released by Google.

Detection Methods for CVE-2026-0092

Indicators of Compromise

  • Unexpected calls from non-system UIDs into Package Manager interfaces associated with device lock controller management.
  • Applications that exercise device administration or lock-related APIs without holding the corresponding declared permissions.
  • Devices reporting altered device lock state without an administrator action recorded in MDM logs.

Detection Strategies

  • Monitor logcat for Package Manager and device policy events that originate from unprivileged UIDs.
  • Inspect installed packages for apps requesting unusual sets of system or signature-level permissions.
  • Correlate enterprise mobility management (EMM) telemetry with device lock state changes to flag out-of-band modifications.

Monitoring Recommendations

  • Track Android build fingerprints across the fleet and alert on devices still reporting pre-patch Android 17 builds.
  • Forward mobile device telemetry into a centralized analytics platform for behavioral baselining of lock controller events.
  • Review Google Play Protect verdicts and sideloaded application inventories on a recurring schedule.

How to Mitigate CVE-2026-0092

Immediate Actions Required

  • Apply the Android 17 security patch level referenced in the Android Security Bulletin 17 as soon as the OEM build is available.
  • Restrict installation of applications from untrusted sources and enforce Google Play Protect on all managed devices.
  • Enforce MDM policies that block sideloading and require devices to report a patched security patch level before accessing corporate resources.

Patch Information

Google has published fixes through the Android 17 security bulletin. Device manufacturers integrate these fixes into their own monthly security patch level (SPL) releases. Administrators should confirm that managed devices report a security patch level that is equal to or later than the SPL associated with the Android 17 bulletin entry for CVE-2026-0092. Refer to the Android Security Bulletin 17 for the authoritative patch level and AOSP references.

Workarounds

  • Limit deployment of Android 17.0 devices until the OEM has shipped the fixed security patch level.
  • Enforce strong device administrator policies through an EMM solution to detect unauthorized changes to device lock state.
  • Reduce the application install surface by disabling installation from unknown sources via managed configuration.
bash
# Verify the security patch level on a managed Android device via adb
adb shell getprop ro.build.version.security_patch
adb shell getprop ro.build.version.release

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne