How is CVE-2026-0071 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the missing permission check. Authentication (not-required): No account credentials or elevated privileges are needed; any unprivileged app or process already running on the device is sufficient to exploit the flaw. Victim interaction (not-required): The exploit runs entirely within the attacker-controlled process and does not require the device owner or any other user to take any action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no race conditions, memory-layout assumptions, or other environmental preconditions.

What is the impact of CVE-2026-0071?

A successful attacker gains privileged execution on the Android device, bypassing the permission model that normally restricts sensitive operations. The attacker reads protected system data and sensitive user data stored on the device, including credentials, contacts, and app data. The attacker modifies system settings, installs software, and alters persisted data across the device. The attacker can crash or disable system services, causing a denial of service to the device and its running applications.

Back to search

CRITICALCVE-2026-0071Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0071: In SettingsLib, there is a possible missing permission check due to a logic error in the code

In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing permission check in Android's SettingsLib component allows a local attacker to escalate privileges without any additional account permissions or user interaction. The logic error in the code means that a process or app already running on the device can invoke privileged operations that should be gated behind a permission check. Successful exploitation gives the attacker full control over the affected Android device, including access to sensitive data, the ability to modify system state, and the ability to disrupt services. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Google publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0071 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Android or AOSP components. Any image in a connected registry or CI pipeline that includes an affected version of SettingsLib on Android 17 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage findings are surfaced to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Google releases a remediated build. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the missing permission check.
AuthenticationNot required
No account credentials or elevated privileges are needed; any unprivileged app or process already running on the device is sufficient to exploit the flaw.
Victim interactionNot required
The exploit runs entirely within the attacker-controlled process and does not require the device owner or any other user to take any action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race conditions, memory-layout assumptions, or other environmental preconditions.

Blast Radius

A successful attacker gains privileged execution on the Android device, bypassing the permission model that normally restricts sensitive operations.
The attacker reads protected system data and sensitive user data stored on the device, including credentials, contacts, and app data.
The attacker modifies system settings, installs software, and alters persisted data across the device.
The attacker can crash or disable system services, causing a denial of service to the device and its running applications.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-0071 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment Google publishes a remediated version of Android 17 SettingsLib. In the interim, teams can reduce exposure through compensating controls: apply network-policy isolation to limit what privileged services are reachable from untrusted processes, use feature-flag gating to disable non-essential SettingsLib integrations in affected images, and restrict deployment of images containing Android 17 components to workloads where the risk is explicitly accepted. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically once upstream ships a fix, targeting a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified