Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-0158

CVE-2026-0158: Google Android Information Disclosure Flaw

CVE-2026-0158 is an information disclosure vulnerability in Google Android Camera that allows unauthorized access to photos without permission checks. This article covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-0158 Overview

CVE-2026-0158 is a local information disclosure vulnerability in the Android Camera component. The flaw stems from a missing permission check that allows unauthorized access to photos stored on the device. An attacker with local access and low privileges can read photo data without triggering any user interaction. The vulnerability is categorized under CWE-862 Missing Authorization. Google addressed the issue in the Android Security Bulletin June 2026.

Critical Impact

Local applications can bypass permission enforcement to read photos from the Camera component without user consent or additional execution privileges.

Affected Products

  • Google Android (Pixel devices, per the June 2026 Pixel Security Bulletin)
  • Android Camera component
  • Devices not yet patched to the June 2026 security patch level

Discovery Timeline

  • 2026-06-16 - CVE-2026-0158 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-0158

Vulnerability Analysis

The vulnerability resides in the Android Camera component. A code path that exposes photo data does not enforce the required permission check before returning content to the caller. As a result, a local application without the runtime media or storage permissions can retrieve photos that should be gated by user consent. Exploitation requires only local access and low privileges, with no user interaction needed.

The issue is classified as [CWE-862] Missing Authorization. Confidentiality is impacted at a low level, while integrity and availability are unaffected. The vulnerability does not yield code execution and does not elevate privileges beyond information disclosure.

Root Cause

The root cause is a missing permission check in the Camera component's access path to photo content. Android's permission model relies on explicit checks before returning sensitive media. The omitted check allows callers without READ_MEDIA_IMAGES or equivalent grants to access photos that should be protected.

Attack Vector

An attacker must first place code on the device, typically through a malicious or trojanized application installed by the user. Once running, the application invokes the affected Camera interface and retrieves photo data without holding the required permission. No phishing, social engineering at runtime, or additional user prompts are required during exploitation.

No public proof-of-concept exploit is available. The EPSS probability is 0.06%, reflecting low predicted exploitation activity. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-0158

Indicators of Compromise

  • Unexpected applications accessing Camera component interfaces without holding declared media permissions
  • Anomalous read activity against photo storage paths initiated by recently installed third-party applications
  • Applications that target the Camera component shortly after installation and exit without producing user-visible activity

Detection Strategies

  • Audit installed applications for declared permissions that do not match observed behavior against Camera interfaces
  • Review mobile device management (MDM) telemetry for application processes invoking Camera content providers outside of normal usage
  • Correlate application install events with subsequent media access attempts on the same device

Monitoring Recommendations

  • Track Android security patch level (ro.build.version.security_patch) across the fleet and flag devices below the June 2026 patch level
  • Monitor sideloaded application installations and applications requesting Camera-adjacent capabilities
  • Enforce telemetry collection on mobile endpoints to surface unauthorized media access patterns

How to Mitigate CVE-2026-0158

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected Pixel and Android devices
  • Restrict installation of applications from unknown sources through MDM policy
  • Review and remove unused or untrusted applications that have been granted broad device access

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Devices running the 2026-06-01 security patch level or later contain the corrected permission check in the Camera component. Original equipment manufacturers (OEMs) distribute the patch on their own schedule, so confirm vendor-specific availability for non-Pixel devices.

Workarounds

  • Limit installation of third-party applications until the device receives the June 2026 patch level
  • Use enterprise mobility management to restrict applications that request Camera or media-related capabilities on unpatched devices
  • Revoke unnecessary permissions on existing applications and remove applications that no longer require access to media content
bash
# Verify the Android security patch level on a device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne