HIGH 7.8

CVE-2026-0036: Android StageCoordinator Tapjacking Privilege Escalation (CVSS 7.8 HIGH)

CVE-2026-0036 is a tapjacking vulnerability in Android's StageCoordinator animation handler that allows a malicious app to escalate privileges without requiring user interaction or special permissions. An attacker with a local account on the device can overlay transparent windows to intercept touch events or manipulate the animation state, gaining unauthorized access to sensitive device functions and data. The vulnerability affects multiple Android versions and is rated HIGH severity due to its direct path to privilege escalation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-1021
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the startAnimation method of StageCoordinator.java, where insufficient input validation and touch event handling enable overlay/tapjacking attacks. An unprivileged process (PR:L) can exploit this to escalate privileges and access restricted resources. The attack requires no user awareness (UI:N) and operates entirely within the local attack surface (AV:L). The flaw allows manipulation of animation state transitions that are not properly protected against concurrent touch injection or window overlay techniques, resulting in high impact to confidentiality, integrity, and availability (C:H/I:H/A:H).

Business impact

This vulnerability enables privilege escalation on Android devices without alerting users, creating significant risk for enterprises managing Android fleets. A compromised app could exfiltrate sensitive corporate data, modify system settings, install malware, or lock users out of their devices. For organizations relying on Android for mobile workforce management, remote work, or BYOD programs, exploitation could compromise authentication systems, email access, and document repositories. The lack of user interaction requirement makes this particularly dangerous in managed device scenarios where users may not notice malicious behavior.

Affected systems

The vulnerability affects Google Android across multiple versions. The specific Android versions and security patch levels subject to this flaw should be verified against the official Google security bulletin. Organizations running unpatched Android devices on any affected version are at risk, particularly those with devices that have not received the latest monthly or quarterly security updates from their manufacturer or carrier.

Exploitability

The attack has moderate-to-high practical exploitability. An attacker needs to install a malicious app on the target device (achievable through social engineering, phishing, or if the device has sideloading enabled), but no additional tricks are required once installed—no user interaction, no special permissions to request, and no race conditions to win. However, the attacker must already have local execution context (PR:L), limiting the immediate attack surface to users who have already installed untrusted software. The lack of CISA KEV status suggests this vulnerability is not yet widely weaponized in the wild, though that is not a guarantee of safety.

Remediation

Apply the latest Android security patches released after June 17, 2026 (the modification date). Android patches are typically distributed through monthly security updates. Users should enable automatic system updates; enterprises should mandate patching through mobile device management (MDM) policies. Interim mitigation: restrict app installation to trusted sources only, disable sideloading/unknown sources, and monitor for suspicious app behavior using endpoint detection and response (EDR) or MDM telemetry.

Patch guidance

Verify the specific patch version numbers and affected Android versions in the official Google Android Security & Privacy Year in Review or monthly security bulletin for June 2026 and later. Install updates through Settings > System > System Update or via your device manufacturer's update portal. For enterprise deployments, push patches through your MDM solution and verify compliance reporting confirms all at-risk devices have been remediated. If devices cannot be patched immediately, isolate them from sensitive corporate networks or restrict their use.

Detection guidance

Monitor for unexpected window overlay permissions being requested by apps (via manifest analysis or runtime permission logs). Look for repeated or unusual touch event injection attempts in system logs. Endpoint security solutions should flag apps attempting to manipulate system animation states or access animation-related system services abnormally. In MDM environments, audit app inventory for unsigned or sideloaded applications, and monitor for privilege escalation anomalies in device audit logs. Behavioral indicators include app crashes following failed exploitation attempts and unusual CPU/memory spikes during animation state transitions.

Why prioritize this

This vulnerability is HIGH severity due to its direct local escalation path (CVSS 7.8), absence of friction barriers (no user interaction, no special permissions), and impact to all confidentiality, integrity, and availability attributes. While not yet in CISA's KEV catalog, its technical accessibility and presence in a core Android system component (StageCoordinator) make it a credible near-term exploitation target. Organizations should prioritize patching alongside other HIGH/CRITICAL Android CVEs in their remediation workflows, particularly for devices used by privileged users or for sensitive operations.

Risk score, explained

The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L) limiting initial access requirements; low complexity with no special conditions needed (AC:L); low privilege requirements (PR:L) once an app is installed; no user interaction (UI:N); unchanged scope (S:U); and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately penalizes the attack's practical feasibility—an attacker must first get their app onto the device, but once there, escalation is automatic and complete. The HIGH rating is justified given the potential for widespread exploitation across all Android users if reliable exploit code emerges.

Frequently asked questions

Does this vulnerability require the user to click anything or interact with the malicious app?

No. The exploit operates without user interaction (UI:N in CVSS). Once a malicious app is installed on the device, it can exploit this vulnerability silently in the background, making it particularly dangerous because users will not notice any suspicious activity.

Is this vulnerability actively being exploited in the wild?

As of the modification date (June 17, 2026), this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting it is not yet widely exploited. However, this does not mean exploitation is impossible—only that no public reports of active campaigns have been confirmed. Organizations should still prioritize patching promptly.

What is the difference between this tapjacking vulnerability and a traditional permission escalation exploit?

Traditional privilege escalation exploits typically require the attacker to have specific capabilities or to win a race condition. Tapjacking/overlay attacks instead abuse the touch input system or visual rendering pipeline, intercepting or manipulating user interactions before they reach legitimate system components. In this case, the StageCoordinator animation handler does not properly guard against such overlay attacks, allowing stateless privilege elevation.

Can I reduce risk without patching immediately?

Temporary mitigations include disabling sideloading, restricting app installations to official app stores only, and using MDM policies to monitor and block suspicious apps. However, these controls do not eliminate the vulnerability—they only reduce the likelihood of malicious app installation. Patching is the only definitive remedy and should be prioritized as soon as patches are available.

This analysis is based on the CVE record as published on June 1, 2026 and modified on June 17, 2026. Specific affected Android versions, patch version numbers, and remediation steps should be verified against the official Google Android Security & Privacy advisories and your device manufacturer's documentation. SEC.co does not provide legal or compliance advice. Organizations should assess their own risk tolerance and patching schedules in consultation with internal security and operations teams. No exploit code or weaponized proof-of-concept has been provided in this analysis. The absence of CISA KEV status does not guarantee the vulnerability is not exploitable—always treat HIGH-severity vulnerabilities with appropriate urgency. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).