CVE-2026-0145 Overview
CVE-2026-0145 is a permission bypass vulnerability in the Android keymint component. A logic error in the access control code allows a local attacker with low privileges to bypass intended permission checks. Successful exploitation leads to local information disclosure without requiring user interaction or additional execution privileges.
The weakness is tracked as Missing Authorization [CWE-862]. Google published the issue in the Android Security Bulletin for June 2026. The vulnerability affects the integrity of the Android cryptographic key management subsystem, which keymint provides to applications and the Android Keystore.
Critical Impact
A local application with standard privileges can bypass permission checks in keymint to read information that should be restricted, enabling information disclosure on affected Android devices.
Affected Products
- Google Android (per Pixel Security Bulletin, June 2026)
- Devices using the affected keymint HAL implementation
- Android Open Source Project (AOSP) builds containing the vulnerable code path
Discovery Timeline
- 2026-06-01 - Google publishes the Android Security Bulletin entry for keymint
- 2026-06-16 - CVE-2026-0145 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-0145
Vulnerability Analysis
The vulnerability resides in the Android keymint component, which implements the hardware-backed key management interface used by the Android Keystore. A logic error in code that enforces caller permissions allows the component to perform a privileged operation when it should reject the request.
The defect maps to [CWE-862] Missing Authorization. The check that should gate access to protected information is either skipped, evaluated against an incorrect condition, or returns a permissive result for a code path it should deny. This allows a local caller to obtain information that the security model is designed to restrict to higher-privileged contexts.
Impact is limited to confidentiality. The flaw does not modify data or affect availability, and exploitation does not grant additional execution privileges. Because keymint mediates cryptographic key material and related metadata, disclosure from this surface is sensitive even when scoped to information only.
Root Cause
The root cause is a logic error in permission enforcement within keymint. The control flow reaches an information-returning operation along a path that omits or mis-evaluates the required authorization check, producing a Missing Authorization condition.
Attack Vector
An attacker requires local access and low-privilege code execution on the device, for example through an installed application. The attacker invokes the affected keymint interface from their process. No user interaction is required. The flaw is described in prose only because no verified public proof-of-concept code is available. See the Android Security Bulletin June 2026 for vendor technical details.
Detection Methods for CVE-2026-0145
Indicators of Compromise
- No public indicators of compromise have been published for CVE-2026-0145.
- Unexpected invocations of keymint interfaces from non-system applications may warrant review.
- Installed applications requesting cryptographic operations inconsistent with their declared functionality.
Detection Strategies
- Inventory Android devices and compare build fingerprints against the patched security patch level listed in the June 2026 bulletin.
- Review mobile application telemetry for processes making unusual calls into the Android Keystore or keymint HAL.
- Use mobile threat defense tooling to flag applications that request sensitive key material outside expected workflows.
Monitoring Recommendations
- Track Android security patch level (ro.build.version.security_patch) across the managed device fleet.
- Alert when devices remain below the 2026-06-01 patch level after the vendor update window.
- Monitor enterprise mobility management (EMM) compliance reports for devices that have not received the June 2026 update.
How to Mitigate CVE-2026-0145
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) to all managed devices.
- Enforce minimum patch level policies through EMM or mobile device management (MDM) compliance rules.
- Restrict installation of untrusted applications, since exploitation requires local code execution.
Patch Information
Google addressed CVE-2026-0145 in the Android Security Bulletin June 2026. Devices reporting a security patch level of 2026-06-01 or later contain the fix. Pixel devices receive the update directly from Google; other Android OEMs ship the fix according to their own release cadence.
Workarounds
- No vendor-supplied workaround is documented. Apply the security patch as the supported remediation.
- Limit application installation to vetted sources such as managed Google Play to reduce the local attack surface.
- Use EMM policies to block sideloading and restrict developer options on enterprise devices.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

