How is CVE-2026-0036 exploited?

Network reachability (not-required): The attack is local (AV:L); the attacker needs an existing shell or process on the host and does not require any network access. Authentication (required): A low-privilege account is sufficient; the attacker must already have a foothold on the device but does not need administrative rights. Victim interaction (not-required): No user interaction is required for exploitation; the attacker can trigger the tapjacking condition without any social engineering or victim action. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout assumptions, or other environmental factors.

What is the impact of CVE-2026-0036?

Reads sensitive data stored by other applications or the system, including credentials, session tokens, and private files. Writes or modifies data belonging to other applications or the system, including configuration and persisted user records. Executes code at an elevated privilege level, enabling the attacker to install malicious components or alter system behavior. Silently intercepts user taps intended for legitimate UI elements, redirecting actions to attacker-controlled surfaces without the user's knowledge.

Back to search

HIGHCVE-2026-0036Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0036: In startAnimation of StageCoordinator

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege-escalation vulnerability exists in the startAnimation method of StageCoordinator.java in Android (versions 14, 15, 16, and 16-qpr2). An attacker with an existing low-privilege account on the device can exploit a tapjacking/overlay weakness to silently capture taps intended for other apps, without any user interaction required. Successful exploitation grants the attacker full read, write, and execution control at an elevated privilege level. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Google publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-based images, in connected registries and CI pipelines. Any image whose Android platform version falls within the affected range (14, 15, 16, 16-qpr2) is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH and applies per-environment compliance policy weighting to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Google releases a corrective update. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attack is local (AV:L); the attacker needs an existing shell or process on the host and does not require any network access.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must already have a foothold on the device but does not need administrative rights.
Victim interactionNot required
No user interaction is required for exploitation; the attacker can trigger the tapjacking condition without any social engineering or victim action.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout assumptions, or other environmental factors.

Blast Radius

Reads sensitive data stored by other applications or the system, including credentials, session tokens, and private files.
Writes or modifies data belonging to other applications or the system, including configuration and persisted user records.
Executes code at an elevated privilege level, enabling the attacker to install malicious components or alter system behavior.
Silently intercepts user taps intended for legitimate UI elements, redirecting actions to attacker-controlled surfaces without the user's knowledge.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images running affected Android versions (14, 15, 16, 16-qpr2). Because no upstream fix has been published, HarborGuard monitors the Google Android advisory feed each ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include restricting overlay permissions (SYSTEM_ALERT_WINDOW) for untrusted applications via Android enterprise policy, applying network-policy isolation to limit lateral movement from any already-compromised process, and using feature-flag gating to disable split-screen or transition animations in high-sensitivity environments where the StageCoordinator code path is reachable.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified