How is CVE-2026-0082 exploited?

Network reachability (required): The CVSS 4.0 vector specifies AV:N, meaning the vulnerable component is reachable over the network without requiring physical or local access. Authentication (not-required): PR:N indicates no credentials or account privileges are needed before triggering the vulnerability. Victim interaction (not-required): UI:N confirms no user action such as clicking a link or opening a file is required for exploitation. Attack complexity (info): AC:L with AT:N means the exploit is reliable and condition-free, requiring no race conditions, special configurations, or environmental prerequisites.

What is the impact of CVE-2026-0082?

Reads all data on the device, including stored credentials, session tokens, and application data across every installed app. Writes or modifies any persisted data on the device, including system settings and application storage. Crashes or disrupts any running service on the device, including system-level processes. Gains equivalent impact on systems the compromised device can reach, as indicated by the high Subsequent System confidentiality, integrity, and availability scores in the CVSS 4.0 vector.

Back to search

CRITICALCVE-2026-0082Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0082: In tryStartActivity of NfcDispatcher

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in the NfcDispatcher component of Android 17, specifically in the tryStartActivity method of NfcDispatcher.java. Despite the CVSS 4.0 vector indicating network-reachable conditions, the description confirms the practical attack path involves automatic special app access permission assignment triggered by an insecure default value, enabling local privilege escalation without any additional privileges or user interaction. Successful exploitation gives an attacker full control over the device, including read and write access to all data and the ability to disrupt services. No fix version has been published yet; HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Google publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0082 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-derived container images. Any image carrying the affected Android 17 NfcDispatcher component is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage is available with the full CVSS 4.0 score of 10.0 (Critical) applied to every matched image, weighted further by each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published for CVE-2026-0082, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a remediated Android 17 release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The CVSS 4.0 vector specifies AV:N, meaning the vulnerable component is reachable over the network without requiring physical or local access.
AuthenticationNot required
PR:N indicates no credentials or account privileges are needed before triggering the vulnerability.
Victim interactionNot required
UI:N confirms no user action such as clicking a link or opening a file is required for exploitation.
Attack complexityDetail
AC:L with AT:N means the exploit is reliable and condition-free, requiring no race conditions, special configurations, or environmental prerequisites.

Blast Radius

Reads all data on the device, including stored credentials, session tokens, and application data across every installed app.
Writes or modifies any persisted data on the device, including system settings and application storage.
Crashes or disrupts any running service on the device, including system-level processes.
Gains equivalent impact on systems the compromised device can reach, as indicated by the high Subsequent System confidentiality, integrity, and availability scores in the CVSS 4.0 vector.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-0082 is actively tracked with a Critical (10.0) severity rating, and detection runs against all customer images on every scan cycle. Because Google has not yet published a fix for Android 17, no patched-image rebuild is available at this time. HarborGuard will generate the rebuild and, for customers with auto-remediation enabled, open a patch PR with a regression test run automatically as soon as an upstream fix is published. In the meantime, compensating controls worth considering include network-policy isolation to restrict NFC-adjacent attack surface, egress filtering on containers derived from Android 17 base images, and disabling NFC dispatch functionality via feature-flag or build-time configuration where the application does not require it. The advisory is re-evaluated on every ingest cycle so patch availability will reflect upstream changes within minutes of publication.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified