CVE-2026-0009: Android Tapjacking Local Privilege Escalation Vulnerability
A logic error in Android allows a local attacker to hijack touch input through tapjacking attacks, potentially gaining elevated privileges on the device. No special permissions or user interaction are required for exploitation, making this a direct path to privilege escalation for any app already running on the compromised system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-269
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0009 is a tapjacking vulnerability in Google Android stemming from improper input validation across multiple code locations. The flaw allows a process with local execution context to intercept or manipulate touch events, bypassing intended access controls. Classified as CWE-269 (Improper Access Control), the vulnerability permits privilege escalation without requiring additional execution rights or user action, indicating the affected mechanism is automatically exploitable once conditions align.
Business impact
This vulnerability threatens organizations relying on Android devices for sensitive operations, particularly in BYOD environments and enterprise deployments. An attacker gaining local code execution—via malicious app installation, supply-chain compromise, or lateral movement—can escalate to system or higher privileges without detection, potentially accessing protected data, modifying device behavior, or persisting malware. The absence of user interaction as a prerequisite significantly lowers the barrier to attack in managed and unmanaged device scenarios.
Affected systems
Google Android is affected. Based on the structured data available, the vulnerability spans multiple locations in the codebase; verify against Google's official Android Security & Privacy Year in Review and monthly security bulletins for specific Android version ranges and device models impacted by this issue.
Exploitability
Exploitability is high. The attack surface is local-only, accessible to any process or app already executing on the device. No privilege escalation trigger or user interaction is needed; the logic error is inherently exploitable under normal circumstances. However, this is not currently listed in the CISA Known Exploited Vulnerabilities catalog, suggesting active in-the-wild exploitation has not yet been publicly confirmed or widely documented.
Remediation
Google has addressed this vulnerability; patch status and version availability should be verified through the official Android Security & Privacy bulletin corresponding to the June 2026 security update cycle. Organizations should prioritize deployment of patched Android versions across all managed devices and communicate update availability to BYOD users. Interim mitigations include restricting app permissions, monitoring for suspicious privilege escalation attempts, and disabling sideloading where policy permits.
Patch guidance
Monitor Google's official Android security bulletins for the June 2026 release and subsequent monthly updates. Patch availability varies by device manufacturer and carrier; users and administrators should check their device manufacturer's support portal for OTA (over-the-air) update availability. For enterprise deployments, test patches in a controlled environment before broad rollout, prioritizing devices with sensitive applications or data access. Verify patch deployment through device management solutions that support Android patch-level reporting.
Detection guidance
Focus detection on local privilege escalation artifacts: monitor system logs for unexpected capability grants, permission elevation events, or process spawning with elevated context by applications lacking authorization. Endpoint detection and response (EDR) solutions should flag attempts to access or interact with input devices outside normal app boundaries. Network behavior analysis may reveal exfiltration attempts following successful escalation. In enterprise environments, query device management platforms for unpatched Android versions and cross-reference against user access logs to identify high-risk device cohorts.
Why prioritize this
HIGH severity (CVSS 7.8) combined with local exploitability, no user interaction requirement, and direct path to privilege escalation justifies immediate prioritization. Though not yet in the KEV catalog, the technical characteristics—local attack vector, low complexity, high impact to confidentiality, integrity, and availability—make this a near-certain target for adversary leverage once public exploit code or malware proof-of-concept emerges. BYOD and less-controlled Android deployments present amplified risk.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects a Local Attack Vector (no network required), Low Attack Complexity (logic error exploitable without special conditions), and high impact across confidentiality, integrity, and availability. The absence of privilege requirement (L) and user interaction (N) distinguishes this as a potent escalation primitive. Scope is Unchanged, confining impact to the compromised device, which limits enterprise-wide blast radius but does not mitigate risk to individual high-value endpoints.
Frequently asked questions
Why does this vulnerability not require user interaction?
The tapjacking logic error exists in the system's input handling layer, not in user-facing prompts or confirmations. An attacker's code can directly invoke the vulnerable code path once local execution is achieved, without needing a victim to click, approve, or perform any action.
If I'm not on the latest Android version, am I automatically vulnerable?
Not necessarily. Vulnerability presence depends on the Android version and device manufacturer's implementation. Check Google's official security bulletin for June 2026 to identify affected versions, then cross-reference your device model with your manufacturer's patch status. Some devices may have already received updates mitigating this issue prior to the public disclosure date.
What's the difference between this being in KEV or not?
CISA's Known Exploited Vulnerabilities (KEV) catalog lists flaws with confirmed public exploit code or evidence of in-the-wild active exploitation. This vulnerability is not yet on that list, meaning widespread exploit tooling or documented attacks may not exist. However, absence from KEV does not mean it is safe; the technical severity and ease of exploitation suggest it will attract adversary attention.
Can mobile device management (MDM) help protect us?
MDM solutions can enforce patch deployment, restrict sideloading, and monitor device posture for unpatched versions. However, MDM cannot prevent exploitation of the underlying logic error on unpatched devices. The primary defense is timely patching; MDM accelerates visibility and enforcement of patch compliance across your fleet.
This analysis is based on structured vulnerability data current as of the publication date. Specific Android versions, device models, and patch availability must be verified against Google's official Android Security & Privacy bulletin and your device manufacturer's support portal. No exploit code, proof-of-concept, or weaponized technical details are provided herein. Organizations should conduct internal risk assessment and testing before deploying patches to production environments. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor patch status or timeline claims. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation
- CVE-2026-0091HIGHAndroid Launcher Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass