CVE-2026-28586 Overview
CVE-2026-28586 is a permission bypass vulnerability in the Android operating system. The flaw resides in multiple functions of AppOpsService.java and stems from a missing permission check. A local application can exploit the weakness to access information it should not be authorized to read. Exploitation requires no user interaction and no additional execution privileges beyond those granted to a low-privileged local app. Google addressed the issue in the June 2026 Android Security Bulletin. The vulnerability is classified under CWE-269: Improper Privilege Management.
Critical Impact
A local application with low privileges can bypass permission checks in AppOpsService to disclose information without user interaction, affecting Android 14, 15, and 16.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)
Discovery Timeline
- 2026-06-01 - Google publishes fix in the Android Security Bulletin
- 2026-06-01 - CVE-2026-28586 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-28586
Vulnerability Analysis
The vulnerability resides in AppOpsService.java, the Android system service that tracks runtime application operations such as access to location, camera, microphone, and other sensitive resources. Multiple functions within this service fail to enforce required permission checks before returning operation state or metadata. As a result, a local process can query app operation data that should be restricted to privileged callers.
The issue is categorized as Improper Privilege Management [CWE-269]. The attack vector is local, exploitation complexity is low, and the attacker requires only low privileges. Successful exploitation produces local information disclosure with no impact to integrity or availability.
Root Cause
The root cause is a missing permission check in multiple AppOpsService entry points. Caller identity and permissions are not validated before sensitive operation state is returned. Code paths that should be gated by checks such as GET_APP_OPS_STATS or UID equality enforcement instead expose data to any local caller, producing a permissions bypass.
Attack Vector
Exploitation requires a malicious or compromised application running locally on the device. The application invokes the affected AppOpsService interfaces through standard Binder IPC calls. Because the service does not validate the caller's privileges, the API returns app operation data belonging to other applications. No user interaction is needed, and the attacker does not need to escape the application sandbox or gain elevated privileges. The disclosed data can support reconnaissance for follow-on attacks, including profiling user behavior and identifying high-value applications on the device.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-28586
Indicators of Compromise
- Unprivileged applications repeatedly invoking AppOpsManager query interfaces such as getOpsForPackage or getPackagesForOps against packages they do not own.
- Installed applications requesting an unusual breadth of package metadata or operation state outside their declared functionality.
- Sideloaded APKs from untrusted sources running on Android 14, 15, or 16 devices that have not received the June 2026 security patch level.
Detection Strategies
- Review Android logcat and audit logs for anomalous Binder calls into AppOpsService from non-system UIDs.
- Use mobile threat defense tooling to flag applications enumerating cross-package operation state.
- Inspect application manifests and behavior for queries against packages unrelated to the app's stated purpose.
Monitoring Recommendations
- Track device security patch levels across the fleet and alert when devices report a patch level earlier than 2026-06-01.
- Monitor enterprise mobility management (EMM) consoles for devices running Android 16 QPR2 beta builds in production.
- Correlate app install events with subsequent abnormal IPC activity targeting system services.
How to Mitigate CVE-2026-28586
Immediate Actions Required
- Apply the June 2026 Android security patch (patch level 2026-06-01) to all supported devices.
- Identify devices running Android 14, 15, or 16 that have not yet received the update and prioritize remediation.
- Remove untrusted or sideloaded applications from affected devices until patching is complete.
Patch Information
Google released the fix in the Android Security Bulletin June 2026. Device manufacturers ship the patch as part of the 2026-06-01 security patch level. Pixel devices receive the update directly from Google, while OEM devices depend on vendor release schedules.
Workarounds
- Restrict application installation to vetted sources such as Google Play and managed enterprise app catalogs.
- Enforce Google Play Protect and EMM policies that block sideloading on managed devices.
- Audit installed applications and remove any that request AppOpsManager access without clear justification.
# Verify the security patch level on an Android device via adb
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
