How is CVE-2026-0077 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required. Authentication (required): Any low-privilege local account is sufficient; no elevated or administrative credentials are needed. Victim interaction (not-required): The exploit executes entirely without any action from a logged-in user or other victim. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are required.

What is the impact of CVE-2026-0077?

Attacker gains full read access to files, credentials, and application data belonging to other users or system processes on the device. Attacker gains full write access, allowing modification or deletion of system files, application data, and persisted configuration. Attacker achieves code execution at an elevated privilege level by launching arbitrary background applications outside normal Android launch controls. The combination of high confidentiality, integrity, and availability impact means the attacker can fully compromise or render inoperable the affected Android instance.

Back to search

HIGHCVE-2026-0077Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0077: In resumeConfigurationDispatch of ActivityRecord

In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in the Android window manager component, specifically in the resumeConfigurationDispatch method of ActivityRecord.java. An attacker with a low-privilege local account can exploit a logic error to launch background applications without authorization, bypassing Android's background activity launch restrictions. Successful exploitation grants full read, write, and execution control over the affected device without requiring any user interaction. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Google publishes a fix for Android 16-QPR2.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived container images, in both registry scans and CI/CD pipeline checks. Any image shipping the affected Android 16-QPR2 component is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and weights the finding against each customer environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix for Android 16-QPR2. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no elevated or administrative credentials are needed.
Victim interactionNot required
The exploit executes entirely without any action from a logged-in user or other victim.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental prerequisites are required.

Blast Radius

Attacker gains full read access to files, credentials, and application data belonging to other users or system processes on the device.
Attacker gains full write access, allowing modification or deletion of system files, application data, and persisted configuration.
Attacker achieves code execution at an elevated privilege level by launching arbitrary background applications outside normal Android launch controls.
The combination of high confidentiality, integrity, and availability impact means the attacker can fully compromise or render inoperable the affected Android instance.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously with no fix version currently published by Google for Android 16-QPR2. On every ingest cycle HarborGuard re-checks the upstream advisory so a patched rebuild becomes available the moment a fix is released. In the meantime, customers can use HarborGuard's policy controls to flag or block deployment of images containing the affected component, apply network-policy isolation to limit the blast radius of any compromised container, and use feature-flag gating to restrict execution contexts that include the vulnerable ActivityRecord path. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR flow will trigger automatically against affected workloads as soon as the upstream patch is ingested.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified