How is CVE-2026-0099 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local account is sufficient; no admin or elevated credentials are needed. Victim interaction (required): A user must interact with the device (for example, tapping or otherwise engaging with a UI element) for the background activity launch to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-0099?

Reads sensitive data stored on the device, including files and credentials accessible to the targeted process. Modifies application data, device settings, or persisted storage under the control of the escalated context. Executes arbitrary actions at an elevated privilege level, enabling installation of malicious components or further lateral movement within the device. Disrupts normal device operation by terminating or hijacking foreground activities and system services.

Back to search

HIGHCVE-2026-0099Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-0099: In onNullBinding of HostEmulationManager

In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A privilege escalation flaw exists in the Android HostEmulationManager component, specifically in its onNullBinding handler. An attacker with a low-privilege local account can exploit a logic error to launch an activity from the background, bypassing normal restrictions. Successful exploitation grants full read, write, and execution control over the affected device without requiring any elevated permissions. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-based container and emulator images, as they move through registry scans and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to adjust priority accordingly. Triage findings are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

No fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor publishes a fix. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local account is sufficient; no admin or elevated credentials are needed.
Victim interactionRequired
A user must interact with the device (for example, tapping or otherwise engaging with a UI element) for the background activity launch to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Reads sensitive data stored on the device, including files and credentials accessible to the targeted process.
Modifies application data, device settings, or persisted storage under the control of the escalated context.
Executes arbitrary actions at an elevated privilege level, enabling installation of malicious components or further lateral movement within the device.
Disrupts normal device operation by terminating or hijacking foreground activities and system services.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored across every ingest cycle because no upstream fix has been published. While waiting for a vendor patch, customers can apply compensating controls such as network-policy isolation to limit exposure of affected Android workloads, egress filtering to reduce post-exploitation reach, and feature-flag gating to disable NFC host card emulation functionality where operationally feasible. The moment Google publishes a fix for the affected Android versions (16-qpr2, 16, 15, and 14), HarborGuard will make a patched-image rebuild available. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes once an upstream fix is available.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16 · 15 · 14

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified