How is CVE-2026-0063 exploited?

Network reachability (required): The vulnerability is reachable over the network; an attacker does not need local or physical access to the device. Authentication (not-required): No account credentials or prior privileges are needed to reach the vulnerable code path. Victim interaction (not-required): Exploitation completes without any action from a user on the targeted device. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

What is the impact of CVE-2026-0063?

Attacker disables carrier restrictions on the targeted Android device, enabling unauthorized SIM or carrier changes. Full read access to sensitive data on the affected component gives the attacker access to stored credentials, messages, and device identifiers. Full write access allows the attacker to modify system configuration, install unauthorized carrier profiles, or alter device policy settings. Availability of both the local component and connected system components can be fully disrupted, effectively bricking carrier-dependent functionality or causing service outages.

Back to search

CRITICALCVE-2026-0063Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0063: In setAllowedCarriers of PhoneInterfaceManager

In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the setAllowedCarriers method of PhoneInterfaceManager.java in Android 17. A logic error in the carrier restriction enforcement code allows an attacker to disable carrier lock controls, reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives the attacker full read, write, and availability impact on both the affected component and connected system components. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Google publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived images, in registries and CI/CD pipelines. Any image carrying the affected Android 17 PhoneInterfaceManager component is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and surfaces it at maximum priority in each customer's triage queue. Per-environment compliance policy weighting and team-based routing ensure the alert reaches the right inbox inside each customer organization without manual filtering.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Google Android advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; an attacker does not need local or physical access to the device.
AuthenticationNot required
No account credentials or prior privileges are needed to reach the vulnerable code path.
Victim interactionNot required
Exploitation completes without any action from a user on the targeted device.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.

Blast Radius

Attacker disables carrier restrictions on the targeted Android device, enabling unauthorized SIM or carrier changes.
Full read access to sensitive data on the affected component gives the attacker access to stored credentials, messages, and device identifiers.
Full write access allows the attacker to modify system configuration, install unauthorized carrier profiles, or alter device policy settings.
Availability of both the local component and connected system components can be fully disrupted, effectively bricking carrier-dependent functionality or causing service outages.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked at Critical severity and flagged immediately against any customer image containing the affected Android 17 PhoneInterfaceManager component. Because no upstream patch exists yet, HarborGuard monitors the Google Android advisory on every ingest cycle. In the interim, customers can apply compensating controls through HarborGuard's policy engine, including network-policy isolation to restrict access to the vulnerable interface, egress filtering to limit lateral reach from a compromised component, and feature-flag gating where the carrier management API can be disabled in non-production workloads. For customers with auto-remediation enabled, a rebuilt image, regression test run, and PR opened against affected workloads will be triggered automatically within minutes of Google publishing a fix, with no manual handoff required.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified