How is CVE-2026-28580 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required. Authentication (required): The attacker must hold a low-privilege account or process on the device, but no admin or elevated permissions are required beyond that. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the bounds-check desync entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other variable environmental factors.

What is the impact of CVE-2026-28580?

Reads arbitrary files and data belonging to other applications or system processes on the device. Modifies or corrupts persistent system state, including settings, application data, and security policies. Crashes or destabilizes the affected device, causing service disruption to all running applications. Achieves full privilege escalation, gaining the same capabilities as a privileged system process.

Back to search

HIGHCVE-2026-28580Published 2026-06-01Modified 2026-06-02CNA google_android

CVE-2026-28580: In multiple functions, there is a possible desync in persistence due to an incorrect bounds check

In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect bounds check in multiple Android system functions allows a local attacker to desync persistent state and escalate privileges. The vulnerability is reachable locally, meaning the attacker needs an existing shell or process on the device, but requires no additional elevated permissions beyond a low-privilege account. Successful exploitation grants full local privilege escalation, giving the attacker control over the device's confidentiality, integrity, and availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-based images, in active registries and CI pipelines. Any image carrying an affected version of Android 16 or 16-qpr2 is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 (HIGH) and weights it against each customer environment's compliance policy, reflecting the high impact across confidentiality, integrity, and availability. Triage alerts are routed to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix for Android 16 or 16-qpr2. For customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required.
AuthenticationRequired
The attacker must hold a low-privilege account or process on the device, but no admin or elevated permissions are required beyond that.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the bounds-check desync entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other variable environmental factors.

Blast Radius

Reads arbitrary files and data belonging to other applications or system processes on the device.
Modifies or corrupts persistent system state, including settings, application data, and security policies.
Crashes or destabilizes the affected device, causing service disruption to all running applications.
Achieves full privilege escalation, gaining the same capabilities as a privileged system process.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-28580, HarborGuard continuously monitors the Google Android advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fix version is published. In the interim, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict lateral movement from a compromised container, egress filtering to limit what a privilege-escalated process can reach, and feature-flag gating to disable workloads that run Android 16 or 16-qpr2 images in sensitive environments. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated automatically upon upstream fix availability, with no manual steps required.

See how HarborGuard automates this

Affected packages

Google / Android
16-qpr2 · 16

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

source.android.com

Metrics

Get notified