How is CVE-2026-0094 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient; no admin or elevated permissions are needed before exploitation. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning the exploit does not depend on a user taking any action such as clicking a link or opening a file. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-0094?

Reads sensitive certificate data and credentials that the victim app would otherwise have exclusive access to. Modifies or injects certificate trust decisions, allowing the attacker to approve their own certificate access under the victim's identity. Gains execution privileges at a higher level than the attacker's starting account, enabling further lateral movement within the device. Crashes or disrupts the KeyChain service, preventing legitimate apps from completing certificate-dependent operations.

Back to search

HIGHCVE-2026-0094Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0094: In getApplicationLabel of KeyChainActivity

In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a user-interface spoofing vulnerability in Android's KeyChainActivity component, specifically in the getApplicationLabel function. An attacker with a low-privilege local account can display a misleading application label to trick a user into approving certificate access, requiring no additional permissions to pull off. Successful exploitation gives the attacker full read, write, and execution control at a higher privilege level than they started with. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Google ships an upstream fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-0094 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built Android-based images in customer registries and CI pipelines.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and can weight that score against each customer org's per-environment compliance policy, routing the finding to the appropriate team inbox based on configured severity thresholds and asset criticality.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix. In the interim, the CVE remains flagged as unpatched in all affected image scan results.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient; no admin or elevated permissions are needed before exploitation.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning the exploit does not depend on a user taking any action such as clicking a link or opening a file.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads sensitive certificate data and credentials that the victim app would otherwise have exclusive access to.
Modifies or injects certificate trust decisions, allowing the attacker to approve their own certificate access under the victim's identity.
Gains execution privileges at a higher level than the attacker's starting account, enabling further lateral movement within the device.
Crashes or disrupts the KeyChain service, preventing legitimate apps from completing certificate-dependent operations.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-0094, HarborGuard continuously monitors the Google Android advisory across every ingest cycle and will trigger a patched-image rebuild automatically once a fix is published. While the vulnerability remains unpatched, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict lateral movement from a compromised process, egress filtering to limit what a privilege-escalated process can reach, and feature-flag gating to flag any image shipping a KeyChain-dependent workflow for manual review. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without delay once the upstream patch is available.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified