How is CVE-2026-0087 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability. Authentication (required): Any low-privilege account on the device is sufficient; no admin or elevated permissions are needed beyond a basic user session. Victim interaction (not-required): The exploit completes without any action from the device owner or any other user on the system. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layouts, or environmental factors need to be arranged.

What is the impact of CVE-2026-0087?

Reads app-link intent data routed through the hijacked domain handler, exposing tokens, credentials, or personal information passed between apps via deep links. Modifies or intercepts in-flight intent payloads, allowing the attacker to tamper with data before the legitimate target app receives it. Redirects authentication callbacks and OAuth redirect URIs to a malicious app, enabling account takeover without the user noticing. Gains the full combined read, write, and code-execution surface of the impersonated app's permission set on the device.

Back to search

HIGHCVE-2026-0087Published 2026-06-01Modified 2026-06-03CNA google_android

CVE-2026-0087: In approvalLevelForDomainInternal of DomainVerificationService

In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege-escalation vulnerability in Android's DomainVerificationService, specifically in the approvalLevelForDomainInternal function. A local attacker with a low-privilege account can exploit a logic error to hijack arbitrary app links, redirecting intent traffic meant for a legitimate app to a malicious one, without needing elevated permissions or any action from the device user. Successful exploitation gives the attacker full read, write, and execution control at the compromised privilege level, enabling data theft, data tampering, and potential further compromise of the device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Android security feeds within minutes of publication and matched against customer images, including custom-built Android-derived container images. Any image carrying an affected Android version (14, 15, 16, or 16-qpr2) is flagged automatically during pipeline scans and registry sweeps.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH and weights it against each environment's compliance policy to determine breach-of-threshold status. Findings that cross a customer's configured threshold are routed to the appropriate team inbox, including priority queuing for high-severity local-privilege-escalation issues.

Available

Patch

Because no upstream fix version has been published for CVE-2026-0087, HarborGuard re-checks the Android security advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix lands upstream.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability.
AuthenticationRequired
Any low-privilege account on the device is sufficient; no admin or elevated permissions are needed beyond a basic user session.
Victim interactionNot required
The exploit completes without any action from the device owner or any other user on the system.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layouts, or environmental factors need to be arranged.

Blast Radius

Reads app-link intent data routed through the hijacked domain handler, exposing tokens, credentials, or personal information passed between apps via deep links.
Modifies or intercepts in-flight intent payloads, allowing the attacker to tamper with data before the legitimate target app receives it.
Redirects authentication callbacks and OAuth redirect URIs to a malicious app, enabling account takeover without the user noticing.
Gains the full combined read, write, and code-execution surface of the impersonated app's permission set on the device.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix exists yet. Images carrying Android 14, 15, 16, or 16-qpr2 are flagged at CVSS 7.8 HIGH and surfaced in the affected team's queue immediately. While the patch is pending, compensating controls available within HarborGuard include network-policy isolation rules that restrict lateral connectivity from affected workloads, and egress-filtering annotations that can be applied to limit the blast radius of a successful app-link hijack. Feature-flag gating on domain-verification-dependent functionality is also a viable interim measure that security engineers can document and track inside HarborGuard's advisory notes field. The moment Google publishes a corrected Android release, HarborGuard will make a patched-image rebuild available; for customers who opt into auto-remediation, this triggers a full rebuild, regression test run, and an automated PR opened against all affected workloads.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified