How is CVE-2026-0098 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the device is required. Authentication (required): Any low-privilege account on the device is sufficient; no admin or elevated credentials are needed. Victim interaction (not-required): The exploit runs without any action from another user on the device. Attack complexity (info): The exploit is reliable and condition-free; no race conditions or special environmental factors must be arranged.

What is the impact of CVE-2026-0098?

Reads files, tokens, and data belonging to other apps or the OS that the attacker's process would normally be blocked from accessing. Writes or modifies data and settings protected by activity start restrictions, overwriting content the attacker should not control. Executes restricted activities or components as if holding elevated system permissions, enabling further lateral movement within the device. Full confidentiality, integrity, and availability of affected subsystems are compromised once the privilege boundary is crossed.

Back to search

HIGHCVE-2026-0098Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0098: In getCallingPackageName of Shared

In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A confused deputy vulnerability in the getCallingPackageName function of Shared.java allows a local attacker to bypass activity start restrictions on Android versions 14 through 16-qpr2. The attacker needs only a low-privilege account and local access to the device, with no user interaction required. Successful exploitation grants full escalation of privilege, giving the attacker read, write, and execution control over resources protected by those restrictions. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as Google publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived images, in both registry scans and CI/CD pipeline checks. Any image carrying an affected version of Android (14, 15, 16, or 16-qpr2) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH and surfaces it accordingly in each customer organization's finding queue, weighted against that environment's compliance policy. Routing rules direct the alert to the team or inbox configured for high-severity local-privilege findings within each org.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Google Android advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the meantime, the finding remains open and continuously re-evaluated so no manual tracking is required.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the device is required.
AuthenticationRequired
Any low-privilege account on the device is sufficient; no admin or elevated credentials are needed.
Victim interactionNot required
The exploit runs without any action from another user on the device.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors must be arranged.

Blast Radius

Reads files, tokens, and data belonging to other apps or the OS that the attacker's process would normally be blocked from accessing.
Writes or modifies data and settings protected by activity start restrictions, overwriting content the attacker should not control.
Executes restricted activities or components as if holding elevated system permissions, enabling further lateral movement within the device.
Full confidentiality, integrity, and availability of affected subsystems are compromised once the privilege boundary is crossed.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all scanned images on an ongoing basis, and the HIGH-severity rating means it surfaces at the top of the triage queue for any affected environment. Because Google has not yet published a fix for Android 14, 15, 16, or 16-qpr2, no patched rebuild can be generated yet. HarborGuard re-evaluates the advisory every ingest cycle so the rebuild becomes available automatically the moment upstream ships a patch; for customers with auto-remediation enabled, that triggers a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While a fix is pending, compensating controls worth considering include network-policy isolation of workloads that embed Android system components, egress filtering to limit what a compromised process can reach, and feature-flag gating to disable non-essential activity entry points where the framework permits.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified