Skip to main content
CVE Vulnerability Database

CVE-2026-0099: Android Privilege Escalation Vulnerability

CVE-2026-0099 is a privilege escalation vulnerability in Google Android that allows unauthorized activity launches from the background. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-0099 Overview

CVE-2026-0099 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in the onNullBinding method of HostEmulationManager.java, a component of the Android Near Field Communication (NFC) Host Card Emulation (HCE) subsystem. A logic error allows an application to launch an activity from the background, bypassing Android's background activity launch restrictions. Exploitation requires user interaction and local access but no additional execution privileges. The vulnerability affects Android versions 14, 15, and 16, including several Android 16 QPR2 beta releases.

Critical Impact

A local attacker with low privileges can escalate privileges on the device by launching an unauthorized activity from the background, potentially enabling UI redress or further compromise of the user session.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes the Android Security Bulletin addressing CVE-2026-0099
  • 2026-06-01 - CVE-2026-0099 published to the National Vulnerability Database (NVD)
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-0099

Vulnerability Analysis

The vulnerability is categorized under [CWE-273]: Improper Check for Dropped Privileges. The defect exists in HostEmulationManager.java, part of the Android NFC service that mediates Host Card Emulation transactions. When the system invokes the onNullBinding callback, indicating that a service has returned a null binding result, the affected code path fails to properly validate the calling context before initiating an activity launch.

An attacker who controls a low-privileged application on the device can trigger this callback under conditions that result in an activity being started from the background. Android normally restricts background activity launches to prevent malicious foreground hijacking. Bypassing this restriction enables a local attacker to display attacker-controlled UI on top of legitimate apps, which can be leveraged for tapjacking, credential harvesting, or further escalation when combined with user interaction.

Root Cause

The root cause is a logic error in the onNullBinding handler. The handler proceeds with activity launch logic without re-checking whether the caller meets the privilege and foreground state requirements enforced elsewhere in the Activity Manager. This represents an improper check for dropped privileges, where the code assumes a trusted execution context that is no longer guaranteed at the point of invocation.

Attack Vector

Exploitation requires local access through a malicious application installed on the device, combined with user interaction such as tapping a UI element or interacting with an NFC reader. The attack does not require elevated permissions on entry. The malicious app triggers the null-binding code path in HostEmulationManager, causing the system to launch an attacker-chosen activity from the background, granting the attacker control over the foreground UI.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Android Security Bulletin June 2026 for additional technical details.

Detection Methods for CVE-2026-0099

Indicators of Compromise

  • Unexpected activities launched while the device screen is locked or while the user is interacting with an unrelated app
  • Installed applications requesting NFC or HCE-related permissions without a clear business purpose
  • Mobile device management (MDM) telemetry showing apps starting foreground activities from background service contexts

Detection Strategies

  • Monitor Android system logs for anomalous startActivity calls originating from NFC service callbacks
  • Use mobile threat defense tooling to flag applications that exercise HostApduService or HCE bindings in unusual patterns
  • Correlate user-reported UI anomalies, such as unexpected prompts or overlays, with recently installed applications

Monitoring Recommendations

  • Track Android patch level across the managed device fleet and identify devices still on a security patch level prior to June 2026
  • Audit sideloaded applications and applications from non-Play sources for NFC capability declarations
  • Enable Google Play Protect and review its scan results across enrolled devices

How to Mitigate CVE-2026-0099

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected Android 14, 15, and 16 devices
  • Update Android 16 QPR2 beta devices to the latest beta or stable release that includes the fix
  • Enforce MDM policies that block installation of applications from untrusted sources

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the corrected onNullBinding logic in HostEmulationManager.java. OEMs and carriers distribute the fix through their normal update channels, so the availability date varies by vendor.

Workarounds

  • Disable NFC on devices where it is not required for business operations until the patch is applied
  • Restrict installation of third-party applications via enterprise mobility management policies
  • Educate users to avoid interacting with unexpected prompts or NFC readers from untrusted sources
bash
# Verify Android security patch level on a connected device via ADB
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 (or later)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.