CVE-2026-0081: In NFC, there is a possible way to spoof an NFC event due to a missing permission check
In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v4.0
- 10.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a privilege escalation vulnerability in the NFC subsystem of Android 17, caused by a missing permission check that allows an attacker to spoof NFC events. The CVSS vector scores it at 10.0 (Critical) and indicates it is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives an attacker full control over the affected device, including reading data, modifying data, and disrupting availability of the system and connected services. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment upstream ships a fix.
HarborGuard Coverage
Detection of CVE-2026-0081 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built Android-derived container images. Any registry or pipeline image containing an affected version of Android 17 components surfaces as a flagged finding automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 10.0 (Critical) and weighting it against each customer organization's per-environment compliance policy to determine urgency. Routing to the appropriate team inbox within each customer org is available as part of the standard triage pipeline.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google Android ships a remediation. In the interim, the finding remains open and visible in each customer's dashboard so compensating controls can be applied.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerability is reachable over the network; an attacker must be able to send requests to the affected service across the network without requiring physical or local access.
- AuthenticationNot required
No credentials or account privileges are needed to trigger the missing permission check and spoof an NFC event.
- Victim interactionNot required
Exploitation requires no action from any user on the target device.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental preconditions.
Blast Radius
- A successful attacker gains local escalation of privilege, effectively operating with the same or higher permissions than privileged system processes on the device.
- Confidentiality impact is high on both the vulnerable component and all connected system components, meaning the attacker reads stored data including credentials, session tokens, and application data.
- Integrity impact is high across vulnerable and downstream system components, meaning the attacker modifies persisted data, application state, and system configuration.
- Availability impact is high across the vulnerable component and connected system components, meaning the attacker crashes or renders unresponsive the affected service and dependent services.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix for CVE-2026-0081 exists at this time, the platform monitors the Google Android advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes once the upstream fix is available. While no patch exists, recommended compensating controls include applying network policy isolation to restrict unexpected inbound traffic to NFC-adjacent services, enabling egress filtering on workloads that embed Android 17 components, and gating any NFC-dependent features behind application-layer permission checks as a secondary defense layer. The finding remains surfaced and prioritized in each customer's dashboard so that teams can act on it immediately.
- Google / Android17
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H