CVE-2026-0093: In multiple locations, there is a possible misleading UI due to obfuscation
In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This vulnerability is a misleading UI (user interface obfuscation) flaw affecting Google Android versions 14, 15, 16, and 16-QPR2. An attacker with a low-privilege local account can exploit it without any user interaction to escalate their privileges on the device. Successful exploitation grants the attacker high-level control over confidentiality, integrity, and availability of the affected system. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Google publishes a fix.
HarborGuard Coverage
Detection of CVE-2026-0093 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built Android-based container images. Any image derived from an affected Android version (14, 15, 16, or 16-QPR2) is flagged automatically during both registry scans and CI/CD pipeline checks.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.8 HIGH and weighting it against each customer organization's compliance policy to determine urgency and routing. Triage results are routed to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableBecause no fix version has been published by Google for CVE-2026-0093, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the meantime, the finding remains open and tracked in the customer dashboard with its current advisory status.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed to begin exploitation.
- Victim interactionNot required
No action from another user or victim is required; the attacker can exploit the flaw entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required to succeed.
Blast Radius
- Reads sensitive data stored on the device, including credentials, session tokens, and private application data.
- Modifies system files, application data, or device configuration, compromising the integrity of the affected Android installation.
- Disrupts or crashes services running on the device, causing denial of service to applications or system components.
- Gains effective full control of the device at a privilege level beyond the original low-privilege account, enabling persistent access.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images built on or derived from Android 14, 15, 16, or 16-QPR2. Because Google has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle and will surface a rebuild automatically the moment a patch is released. While no upstream fix exists, recommended compensating controls include restricting shell or process-level access to affected Android environments, applying network-policy isolation to limit lateral movement from a compromised device, and using feature-flag gating to disable any application surfaces that expose the affected UI locations. For customers with auto-remediation enabled, the rebuild-and-PR flow will trigger without manual intervention once Google publishes a fix version.
- Google / Android16-qpr2 · 16 · 15 · 14
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H