How is CVE-2026-0096 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path. Authentication (required): Any low-privilege local account is sufficient; no admin or elevated credentials are needed to trigger the vulnerability. Victim interaction (not-required): The CVSS vector specifies UI:N, meaning no user action such as clicking a link or opening a file is required for exploitation. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-0096?

The attacker gains elevated privileges on the device, bypassing the normal permission boundary enforced for low-privilege accounts. Confidential data stored on the device, including app data, credentials, and session tokens, becomes readable by the attacker. The attacker can modify persisted data, system settings, or installed application state. The attacker can disrupt or terminate running processes and services on the affected device.

Back to search

HIGHCVE-2026-0096Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0096: In getAppLabel of ForgetDeviceDialogFragment

In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a local privilege escalation vulnerability in the Android Bluetooth settings component, specifically in the getAppLabel method of ForgetDeviceDialogFragment.java. An attacker with a low-privilege local account can exploit a misleading or insufficient UI to trick the system into performing a privileged action, requiring no additional execution privileges. Successful exploitation grants the attacker elevated privileges on the device, with full read, write, and availability impact. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as upstream releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-0096 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream Android security feeds, including any custom-built images that bundle the affected Android 16 or 16-QPR2 components. Coverage applies to both registry scans and pipeline-integrated image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.8 HIGH (CVSS v3.1) and weighting it against each customer environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Google publishes a fix. In the interim, customers can apply compensating controls such as network-policy isolation or restricting the attack surface through device-management policy, surfaced through HarborGuard's advisory tracking view.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
AuthenticationRequired
Any low-privilege local account is sufficient; no admin or elevated credentials are needed to trigger the vulnerability.
Victim interactionNot required
The CVSS vector specifies UI:N, meaning no user action such as clicking a link or opening a file is required for exploitation.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or other environmental prerequisites.

Blast Radius

The attacker gains elevated privileges on the device, bypassing the normal permission boundary enforced for low-privilege accounts.
Confidential data stored on the device, including app data, credentials, and session tokens, becomes readable by the attacker.
The attacker can modify persisted data, system settings, or installed application state.
The attacker can disrupt or terminate running processes and services on the affected device.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-0096, HarborGuard continuously re-checks the Google Android advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is released. Until then, customers can use HarborGuard's policy controls to flag any image containing the affected Android 16 or 16-QPR2 Bluetooth settings components for review and block promotion to production. Compensating controls worth considering include applying device-management policies that restrict access to Bluetooth settings dialogs, isolating affected workloads via network policy, and enabling HarborGuard's advisory-watch alerts so that the team responsible for Android base images is notified immediately when upstream ships a patch. For customers with auto-remediation enabled, a rebuild and regression run will be triggered automatically once a fix version is available, with a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified