CVE-2026-0098 Overview
CVE-2026-0098 is a local privilege escalation vulnerability in Google Android affecting the getCallingPackageName function in Shared.java. The flaw stems from a confused deputy condition that allows an attacker to bypass activity start restrictions. Successful exploitation results in local escalation of privilege without requiring additional execution privileges or user interaction. The issue is categorized under CWE-441: Unintended Proxy or Intermediary. Google addressed the vulnerability in the Android Security Bulletin June 2026.
Critical Impact
A local application without special permissions can bypass activity launch restrictions and elevate privileges on affected Android devices running versions 14, 15, and 16.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google releases security patch in the Android Security Bulletin June 2026
- 2026-06-01 - CVE-2026-0098 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-0098
Vulnerability Analysis
The vulnerability resides in the getCallingPackageName method located in Shared.java. This function is used by privileged Android system components to identify the calling application before authorizing sensitive operations such as starting activities. Because the method does not correctly attribute the true originator of a request, a privileged component can be tricked into performing actions on behalf of a lower-privileged caller. This pattern is a classic confused deputy issue, tracked as [CWE-441].
Activity start restrictions on Android exist to prevent background applications from launching arbitrary foreground UI, hijacking the user experience, or invoking sensitive system flows. By bypassing these restrictions, a malicious local app gains the ability to launch activities it would otherwise be blocked from invoking, opening pathways to privileged surfaces.
Root Cause
The root cause is incorrect caller identification logic in getCallingPackageName. When a system component proxies a request, the function returns or relies on a package identity that reflects the intermediary rather than the original requester. Authorization decisions made downstream then apply the intermediary's elevated permissions to the attacker's request.
Attack Vector
An attacker must first install or run a local unprivileged application on the target device. The application crafts an intent or service interaction that traverses a vulnerable privileged component. The privileged component invokes getCallingPackageName, misattributes the caller, and starts an activity the attacker could not have started directly. No user interaction is required, and the attack runs at low privilege levels. Verified proof-of-concept code is not publicly available at the time of writing.
Detection Methods for CVE-2026-0098
Indicators of Compromise
- Unexpected launches of system or privileged activities originating from third-party application UIDs.
- Android logcat entries showing activity starts that traverse system components on behalf of unprivileged packages.
- Installation of unverified APKs followed by anomalous activity transitions in ActivityTaskManager logs.
Detection Strategies
- Monitor mobile devices for installation of applications from untrusted sources, particularly those requesting broad intent filters.
- Review Android security patch levels across the managed fleet and flag devices reporting a patch level earlier than June 2026.
- Correlate ActivityManager and PackageManager events to detect activity starts whose claimed calling package does not match the originating process UID.
Monitoring Recommendations
- Enforce mobile device management (MDM) policies that report patch level compliance against the Android Security Bulletin June 2026.
- Ingest mobile telemetry into a centralized analytics platform to baseline activity launch behavior and detect deviations.
- Alert on side-loaded applications and on apps requesting privileges inconsistent with their stated functionality.
How to Mitigate CVE-2026-0098
Immediate Actions Required
- Apply the June 2026 Android security patch on all devices running Android 14, 15, or 16.
- Restrict installation of applications from unknown sources through MDM configuration.
- Audit installed applications on managed devices and remove any that are unsigned or from unverified developers.
Patch Information
Google published the fix in the Android Security Bulletin June 2026. Devices must report a security patch level of 2026-06-01 or later to be considered remediated. OEM update timing varies, so administrators should track vendor-specific rollout schedules for their device inventory.
Workarounds
- Limit deployment of untrusted third-party applications until patched firmware is available from the device OEM.
- Use work profiles or separate user profiles to isolate enterprise data from personal applications on affected devices.
- Where supported, require Google Play Protect to remain enabled to block known malicious applications attempting local privilege escalation.
# Verify Android security patch level via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

