How is CVE-2026-0009 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code paths. Authentication (required): Any low-privilege account on the device is sufficient; no administrative or elevated credentials are needed to begin exploitation. Victim interaction (not-required): No user action such as clicking a link or approving a prompt is needed; the attacker can exploit the vulnerability without involving the device owner. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites must be met by the attacker.

What is the impact of CVE-2026-0009?

Reads sensitive data stored on the device, including credentials, tokens, and application data accessible at high confidentiality impact. Modifies files, application state, and system settings on the device due to high integrity impact. Disrupts or terminates running services and processes on the affected Android device due to high availability impact. Achieves effective local privilege escalation, gaining capabilities beyond the original low-privilege account without requiring any further execution privileges.

Back to search

HIGHCVE-2026-0009Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0009: In multiple locations, there is a possible tapjacking due to a logic error in the code

In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Tapjacking vulnerability in Google Android (versions 15 and 16) allows a local attacker to escalate privileges by exploiting a logic error in multiple UI overlay handling locations. The attack requires only a low-privilege local account and no victim interaction, and it runs entirely on the device without any network exposure. Successful exploitation gives the attacker high-level read, write, and execution control over the affected device. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Google publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0009 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Android security feeds, including custom-built images derived from affected Android base layers. Any image in a customer registry or build pipeline that carries an affected Android 15 or 16 layer is flagged automatically.

Available

Triage

HarborGuard triage capability scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting can escalate or adjust priority routing for organizations with stricter mobile or embedded-device baselines. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Google Android as of the CVE record date, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code paths.
AuthenticationRequired
Any low-privilege account on the device is sufficient; no administrative or elevated credentials are needed to begin exploitation.
Victim interactionNot required
No user action such as clicking a link or approving a prompt is needed; the attacker can exploit the vulnerability without involving the device owner.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites must be met by the attacker.

Blast Radius

Reads sensitive data stored on the device, including credentials, tokens, and application data accessible at high confidentiality impact.
Modifies files, application state, and system settings on the device due to high integrity impact.
Disrupts or terminates running services and processes on the affected Android device due to high availability impact.
Achieves effective local privilege escalation, gaining capabilities beyond the original low-privilege account without requiring any further execution privileges.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored across all customer image registries and build pipelines for any image layer rooted in affected Android 15 or 16 bases. Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle. The moment Google ships a patched release, a rebuilt image at the fix version becomes available; for customers who opt into auto-remediation, this triggers an automated rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy isolation of workloads running Android-based container images, restricting low-privilege account creation in affected environments, and applying feature-flag gating to UI overlay or accessibility service features where the tapjacking surface can be reduced.

See how HarborGuard automates this

Affected packages

Google / Android
16 · 15

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified