How is CVE-2026-0088 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required. Authentication (required): Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin exploitation. Victim interaction (not-required): Exploitation is fully silent; no user action such as clicking a link or approving a prompt is required. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors must be aligned for the attack to succeed.

What is the impact of CVE-2026-0088?

Reads sensitive data accessible to the escalated privilege context, including certificates, credentials, and protected app storage. Writes or modifies system-level or app-level data, enabling persistent changes such as installing rogue certificates. Crashes or disrupts services running under the elevated privilege level, affecting device stability. Gains ongoing privileged code execution on the device without any further credentials or user approval.

Back to search

HIGHCVE-2026-0088Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0088: In getCallingAppLabel of CertInstaller

In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a UI deception vulnerability in Android's CertInstaller component, specifically in the getCallingAppLabel function. An attacker with a local foothold on the device can exploit the flaw to obscure a sensitive security dialog, tricking the system into granting elevated privileges without the user's knowledge. Successful exploitation gives the attacker full local privilege escalation, enabling read, write, and disruption of data accessible to the elevated context. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-0088 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in both registries and active CI/CD pipelines, including custom-built Android-based images. Any image found carrying an affected version of Android (14, 15, 16, or 16-qpr2) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and surfaces it with that rating in each customer's findings dashboard. Per-environment compliance policy weighting is applied to route the alert to the appropriate security or platform team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected release. Until then, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin exploitation.
Victim interactionNot required
Exploitation is fully silent; no user action such as clicking a link or approving a prompt is required.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors must be aligned for the attack to succeed.

Blast Radius

Reads sensitive data accessible to the escalated privilege context, including certificates, credentials, and protected app storage.
Writes or modifies system-level or app-level data, enabling persistent changes such as installing rogue certificates.
Crashes or disrupts services running under the elevated privilege level, affecting device stability.
Gains ongoing privileged code execution on the device without any further credentials or user approval.

How HarborGuard Handles This

Available on HarborGuard: images running affected Android versions (14, 15, 16, 16-qpr2) are flagged immediately upon scan, with findings routed according to each customer's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the Google Android advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include restricting the set of apps permitted to interact with CertInstaller through device policy, applying workload isolation at the container or OS level where Android images are used in pipeline or emulation contexts, and enabling egress filtering to limit lateral movement in the event a device is compromised.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified