How is CVE-2026-0019 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required. Authentication (required): Any low-privilege account on the device is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path. Victim interaction (not-required): No action from another user or victim is required; the attacker can trigger exploitation entirely on their own. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions, specific memory layout, or other environmental prerequisites required.

What is the impact of CVE-2026-0019?

The attacker gains the ability to read sensitive data stored by system components, including configuration state and application data accessible at elevated privilege. The attacker can modify or disable core Android system components, altering device behavior or removing security-relevant services. The attacker achieves local privilege escalation, effectively gaining the same execution rights as a system-level process. Disabling system components can render security controls, update mechanisms, or critical device services inoperable.

Back to search

HIGHCVE-2026-0019Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0019: In SettingsLib, there is a possible way to disable system components due to a logic error in the code

In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in Android's SettingsLib library, caused by a logic error that allows an attacker to disable system components. The flaw is reachable locally, requires only a low-privilege account, and needs no interaction from any other user on the device. Successful exploitation gives the attacker full read, write, and execution control at an elevated privilege level. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-0019 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built Android-derived images. Coverage extends to images in customer registries and active CI/CD pipelines, so any affected Android 17 base image is flagged as soon as the record is ingested.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.8 HIGH using the CVSS v3.1 vector and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team or inbox within each customer organization based on configured policy rules.

Available

Patch

No fix version has been published upstream for CVE-2026-0019, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected Android release. In the meantime, customers with auto-remediation enabled can receive compensating-control guidance surfaced through the HarborGuard findings workflow.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required.
AuthenticationRequired
Any low-privilege account on the device is sufficient; no administrative or elevated credentials are needed to reach the vulnerable code path.
Victim interactionNot required
No action from another user or victim is required; the attacker can trigger exploitation entirely on their own.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions, specific memory layout, or other environmental prerequisites required.

Blast Radius

The attacker gains the ability to read sensitive data stored by system components, including configuration state and application data accessible at elevated privilege.
The attacker can modify or disable core Android system components, altering device behavior or removing security-relevant services.
The attacker achieves local privilege escalation, effectively gaining the same execution rights as a system-level process.
Disabling system components can render security controls, update mechanisms, or critical device services inoperable.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0019 is active and matches affected Android 17 images across customer registries and pipelines without any configuration required. Because no upstream fix exists yet, HarborGuard monitors the Google Android advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a corrected version is released. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. Where compliance policy permits, compensating controls such as network-policy isolation of affected containers and restricting local shell access to Android-derived runtime environments are surfaced as interim recommendations in the HarborGuard findings workflow.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified