How is CVE-2026-0092 exploited?

Network reachability (required): The vulnerability is exploitable over the network (AV:N), meaning an attacker must be able to reach the affected service across a network connection. Authentication (not-required): No credentials or prior account access are needed (PR:N); an unauthenticated attacker can trigger the missing permission check directly. Victim interaction (not-required): Exploitation is fully silent and requires no action from a user on the affected device (UI:N). Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental prerequisites.

What is the impact of CVE-2026-0092?

A successful attacker bypasses the device lock controller and escalates to full local privilege, gaining unrestricted control over the Android 17 environment. The attacker can read any data stored on the device, including protected app data, credentials, and session tokens (VC:H). The attacker can write or delete any data, install or remove packages, and modify system configuration without restriction (VI:H, SI:H). The attacker can crash or disable services on the device and affect dependent downstream systems, causing full availability loss (VA:H, SA:H).

Back to search

CRITICALCVE-2026-0092Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0092: In Package Manager, there is a possible device lock controller bypass due to a missing permission check

In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authentication bypass (missing permission check) in the Android Package Manager component affecting Android 17. The vulnerability is reachable over the network with no authentication required and requires no victim interaction, allowing an attacker to bypass the device lock controller and escalate privileges locally. Successful exploitation gives the attacker full control over the device, including read and write access to protected data and the ability to disrupt services. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Android-based images. Any image carrying the affected Android 17 Package Manager component is flagged immediately on first scan after ingestion.

Available

Triage

HarborGuard scores this issue at CVSS 10.0 (Critical) and weights it against each environment's compliance policy to determine routing priority. Triage tickets are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix for Android 17. Until then, the affected images remain flagged at Critical severity in all impacted environments.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is exploitable over the network (AV:N), meaning an attacker must be able to reach the affected service across a network connection.
AuthenticationNot required
No credentials or prior account access are needed (PR:N); an unauthenticated attacker can trigger the missing permission check directly.
Victim interactionNot required
Exploitation is fully silent and requires no action from a user on the affected device (UI:N).
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental prerequisites.

Blast Radius

A successful attacker bypasses the device lock controller and escalates to full local privilege, gaining unrestricted control over the Android 17 environment.
The attacker can read any data stored on the device, including protected app data, credentials, and session tokens (VC:H).
The attacker can write or delete any data, install or remove packages, and modify system configuration without restriction (VI:H, SI:H).
The attacker can crash or disable services on the device and affect dependent downstream systems, causing full availability loss (VA:H, SA:H).

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE, HarborGuard continuously monitors the Google Android advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. In the interim, customers are advised to apply compensating controls: use network policy to restrict inbound access to any container or emulated environment running Android 17, apply egress filtering to limit lateral movement, and consider feature-flag gating or disabling Package Manager-dependent workflows where operationally feasible. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically without requiring manual intervention once the upstream patch is available.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified