How is CVE-2026-0091 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability. Authentication (required): A low-privilege shell account on the device is sufficient; no admin or elevated credentials are needed beyond that baseline. Victim interaction (not-required): No user action, click, or social-engineering step is required for exploitation. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special memory layout requirements must be satisfied.

What is the impact of CVE-2026-0091?

The attacker executes arbitrary code inside the Android launcher process, gaining effective control over the device's primary user-facing runtime. Confidential data stored on the device, including credentials, session tokens, and application data, becomes readable by the attacker. The attacker can modify persisted system state, install software, alter settings, or tamper with data belonging to other applications. The attacker can crash or disrupt the launcher and dependent services, causing denial of service to the device user.

Back to search

HIGHCVE-2026-0091Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0091: In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user

In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in Google Android affecting versions 14, 15, 16, and 16-qpr2. An attacker with a low-privilege shell account on the device can exploit an over-privileged shell user condition in multiple locations to inject and execute code inside the Android launcher process, escalating privileges without requiring any additional permissions or user interaction. Successful exploitation gives the attacker high-level control over the device, including full read access to sensitive data, the ability to modify system state, and the ability to crash or disrupt services. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-0091 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Android-derived images in connected registries and CI pipelines. Any image based on an affected Android version is flagged automatically without manual configuration.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each environment's compliance policy to reflect organizational risk tolerance. Triage routing to the appropriate team inbox within each customer org is available as part of the standard pipeline.

Available

Patch

Because no fix version has been published upstream for CVE-2026-0091, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a corrected Android release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads as soon as that upstream fix is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger the vulnerability.
AuthenticationRequired
A low-privilege shell account on the device is sufficient; no admin or elevated credentials are needed beyond that baseline.
Victim interactionNot required
No user action, click, or social-engineering step is required for exploitation.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special memory layout requirements must be satisfied.

Blast Radius

The attacker executes arbitrary code inside the Android launcher process, gaining effective control over the device's primary user-facing runtime.
Confidential data stored on the device, including credentials, session tokens, and application data, becomes readable by the attacker.
The attacker can modify persisted system state, install software, alter settings, or tamper with data belonging to other applications.
The attacker can crash or disrupt the launcher and dependent services, causing denial of service to the device user.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-0091 is active across all connected environments, flagging any image derived from affected Android versions (14, 15, 16, 16-qpr2) as HIGH severity. Because Google has not yet published a fix version, no patched-image rebuild can be generated at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a rebuild automatically the moment an upstream patch is available. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict shell access to affected devices, egress filtering to limit lateral movement from a compromised launcher process, and feature-flag gating to disable or sandbox launcher components where the platform supports it. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR flow will activate without manual intervention once upstream ships a fix.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified