LOW 3.3

CVE-2026-0056: Android ResourceTypes.cpp Out-of-Bounds Read Information Disclosure

CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-120
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the setTo() function of ResourceTypes.cpp, part of Android's resource management framework. An insufficient bounds validation permits an out-of-bounds read operation. The attacker exploits this via CWE-120 (buffer copy without checking size of input), allowing unvalidated memory access. Given the local attack vector and low CVSS score (3.3), the issue presents information disclosure risk rather than code execution or system compromise. Exploitation requires local code execution capability but no additional privilege escalation or user action.

Business impact

Information disclosure from this vulnerability is limited to local processes already running on the device. In enterprise environments, this could allow a compromised or malicious app to extract sensitive metadata, configuration details, or identifiers from system memory. The impact is primarily confidentiality-focused; integrity and availability of the device remain unaffected. For consumer users, the practical risk depends on what apps are installed and their trustworthiness.

Affected systems

Google Android is affected. Based on source data, multiple Android versions are impacted; consult the vendor advisory and your Android device's security bulletin to identify specific affected releases and corresponding patch timelines.

Exploitability

Exploitation is straightforward from a technical standpoint: an attacker needs only local code execution—achievable by installing a malicious app or compromising an existing one. No special system privileges, exotic execution context, or user interaction is required. However, the attack is confined to the local device; remote exploitation is not possible. The low CVSS score reflects these constraints.

Remediation

Apply the security patch from Google's Android security update when available for your device and Android version. The fix corrects the bounds check in ResourceTypes.cpp's setTo() function. Verify patch availability via your device manufacturer's security bulletin or Android's official security updates page. Device-level mitigation includes restricting app installation to trusted sources and monitoring app permissions.

Patch guidance

Check your Android device for the June 2026 security patch or later that addresses CVE-2026-0056. Updates are typically delivered through over-the-air (OTA) installation or manual system updates. Navigate to Settings > System > System Update (or equivalent, depending on device maker) and install any available security patches. For enterprise deployments, coordinate patch rollout through your mobile device management (MDM) system. Verify the patch level against the vendor advisory to confirm CVE-2026-0056 is included.

Detection guidance

Detection at runtime is challenging because the vulnerability does not produce obvious crash signatures or system errors—it silently reads adjacent memory. Endpoint detection and response (EDR) solutions on Android are limited; focus instead on preventive controls: restrict sideloading, use security updates promptly, and audit installed apps for suspicious behavior. A security update is the definitive remediation; there is no reliable behavioral mitigation.

Why prioritize this

Despite low severity, prioritize this patch in your routine security update cycle. The ease of exploitation (no privilege escalation needed) means any local app can attempt it. While the information disclosure risk is modest for most users, organizations handling sensitive data on employee devices should patch promptly. The local-only attack vector and lack of active exploitation in the wild lower urgency relative to remote code execution flaws, but this is not a candidate for deferral.

Risk score, explained

The CVSS 3.1 score of 3.3 (LOW) reflects a local attack vector (AV:L), low complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and confidentiality impact only (C:L, I:N, A:N). The low severity stems from the requirement for local code execution and the absence of integrity or availability impact. An unprivileged local process can read out-of-bounds memory, which is a legitimate concern but does not meet the threshold for higher severity ratings.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-0056 requires local code execution on the device. An attacker must already have the ability to run code locally—typically by installing an app on the device or compromising one. Remote exploitation is not possible.

What information could an attacker read?

An attacker can read data from memory adjacent to the vulnerable buffer in ResourceTypes.cpp. This might include system identifiers, configuration metadata, or other process-specific state. The exact sensitive data depends on memory layout and what happens to be adjacent at runtime; there is no fixed 'secret' leaked by all instances of this bug.

Does this vulnerability allow code execution?

No. This is an information disclosure flaw only. It permits reading out-of-bounds memory but does not enable writing to memory, executing code, or escalating privileges. It could potentially be chained with other vulnerabilities for greater impact, but on its own it does not lead to code execution.

Is this vulnerability currently being exploited in the wild?

CVE-2026-0056 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation as of the publication date. However, the simplicity of exploitation means it could become attractive to attackers if widely known and unpatched.

This analysis is based on the CVE record and public vendor advisories as of June 2026. Specific patch availability, affected versions, and remediation timelines may vary by device manufacturer and regional carrier. Organizations should verify all details against the official Google Android security bulletin and their device maker's security updates before deploying patches. No exploit code, proof-of-concept, or weaponized tooling is provided. This content is for informational and defensive security purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).