How is CVE-2026-0076 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path. Authentication (required): Any low-privilege account on the device is sufficient; no admin or elevated permissions are needed before exploitation. Victim interaction (not-required): No user interaction of any kind is required; the attacker can trigger the flaw entirely from their own process. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or specific memory layout requirements needed.

What is the impact of CVE-2026-0076?

Attacker gains full read access to memory regions and files beyond their privilege level, including credential stores and protected system data. Attacker gains write access to privileged system state, allowing persistent modification of configuration, binaries, or stored application data. Attacker can crash or destabilize privileged system services, disrupting device operation. Combined confidentiality, integrity, and availability impact means a successful attacker effectively controls the device at a system level.

Back to search

HIGHCVE-2026-0076Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0076: In validateNode of ResourceTypes

In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An out-of-bounds read vulnerability exists in the validateNode function of ResourceTypes.cpp in Google Android versions 14 through 16-qpr2. The flaw is reachable locally by any low-privilege process and requires no user interaction to trigger. Successful exploitation gives an attacker full local privilege escalation, allowing them to read, modify, or destroy data as a privileged system user. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as Google publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0076 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Android and Google feeds, including custom-built images derived from affected Android base layers. Any image whose dependency graph resolves to an affected Android version (14, 15, 16, or 16-qpr2) is flagged automatically.

Available

Triage

Triage is available using the recorded CVSS 3.1 score of 7.8 (HIGH), weighted further by each customer organization's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer environment based on their configured policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Google Android advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the interim, the finding remains open and active in each affected customer environment so that no window is missed when upstream ships.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege account on the device is sufficient; no admin or elevated permissions are needed before exploitation.
Victim interactionNot required
No user interaction of any kind is required; the attacker can trigger the flaw entirely from their own process.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or specific memory layout requirements needed.

Blast Radius

Attacker gains full read access to memory regions and files beyond their privilege level, including credential stores and protected system data.
Attacker gains write access to privileged system state, allowing persistent modification of configuration, binaries, or stored application data.
Attacker can crash or destabilize privileged system services, disrupting device operation.
Combined confidentiality, integrity, and availability impact means a successful attacker effectively controls the device at a system level.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images containing affected Android base layers (versions 14, 15, 16, and 16-qpr2), with findings surfaced at HIGH severity using the CVSS 3.1 score of 7.8. Because no upstream patch exists yet, HarborGuard monitors the Google Android advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While waiting for a fix, compensating controls worth considering include restricting which processes can run on affected hosts, applying Android SELinux policy tightening where possible, and using network-policy isolation to limit blast radius if a host is compromised.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified