CVE-2026-28577: In addWindow of WindowManagerService
In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a local privilege escalation vulnerability in the Android WindowManagerService component, specifically in its addWindow function. An attacker with a low-privilege account already present on the device can exploit a tapjacking and overlay attack without any user interaction or additional permissions. Successful exploitation gives the attacker full control over the device, including read and write access to protected data and the ability to disrupt running services. No fix version has been published yet; HarborGuard tracks this advisory and will flag a patched-image rebuild the moment upstream ships a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived container images, in both registry scans and CI pipeline checks. Any image pulling from affected Android 14, 15, 16, or 16-QPR2 layers is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.8 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on configured ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Google publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable code path.
- AuthenticationRequired
Any low-privilege account on the device is sufficient; no elevated or administrative credentials are needed.
- Victim interactionNot required
No user interaction of any kind is required for exploitation.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental factors need to be arranged.
Blast Radius
- Reads protected files, credentials, and application data stored on the device.
- Writes or overwrites protected system and application data, enabling persistent tampering.
- Crashes or disrupts running services on the device.
- Escalates from a low-privilege process to full device control by abusing the overlay attack surface in WindowManagerService.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images that include affected Android 14, 15, 16, or 16-QPR2 layers. Because Google has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle. When upstream ships a patch, a patched-image rebuild becomes available immediately; for customers who opt into auto-remediation, the rebuild is followed by a regression test run and a PR opened against affected workloads. In the interim, compensating controls to consider include restricting the deployment of untrusted applications via admission policy, applying network-policy isolation to limit lateral movement from any compromised process, and reviewing overlay and accessibility permission grants in your Android-based images. Customers with compliance policies that require action on HIGH-severity findings with no available fix will receive a policy-breach alert through their configured routing rules.
- Google / Android16-qpr2 · 16 · 15 · 14
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H