MEDIUM 5.5

CVE-2026-0060: Android Local DoS in Graphics Driver Management – Analysis & Remediation

CVE-2026-0060 is a local denial-of-service vulnerability in Android's graphics driver management system. A local attacker with basic user privileges can trigger a persistent crash condition in the GraphicsDriverEnableAngleAsSystemDriverController component, rendering the graphics subsystem unavailable without requiring elevated permissions or user interaction. The issue stems from improper state handling in the updateState method.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In updateState of GraphicsDriverEnableAngleAsSystemDriverController.java, there is a possible persistent dos issue due to an unusual root cause. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability resides in the updateState() method of GraphicsDriverEnableAngleAsSystemDriverController.java, where insufficient validation of state transitions during graphics driver initialization allows a local, low-privileged process to induce a persistent denial-of-service condition. The attack vector is local; the attacker must already possess user-level access to the device. No special privileges, code execution capabilities, or interactive user action are prerequisites for exploitation. The resulting denial of service persists across operations.

Business impact

Device availability is materially impacted. Affected users may experience repeated graphics system crashes, potentially rendering the device unusable for tasks requiring graphical output until the system is forcibly restarted or the vulnerability is patched. Organizations managing Android deployments face increased support burden, potential productivity loss, and risk of prolonged device downtime if users attempt workarounds rather than applying patches promptly.

Affected systems

Google Android operating system (multiple versions). The source data indicates multiple Android product entries; verify your specific device manufacturer's security bulletin and Android version to determine if your deployment is affected. Affected versions and patch availability vary by device model and OEM update schedule.

Exploitability

Exploitability is straightforward from an attacker capability perspective. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects low attack complexity and no user interaction requirement. However, the attacker must already possess local access as a non-root user. This vulnerability poses risk in shared-device environments, multi-user systems, or scenarios where untrusted applications have been sideloaded. The vulnerability does not currently appear on the KEV (Known Exploited Vulnerabilities) catalog.

Remediation

Apply the security patch released by Google for your Android version and device model. Check your device manufacturer's security updates portal (typically accessible via Settings > System > System Update > Security patch level). If your device is no longer receiving updates, consider migration to a supported device or OS version. In interim high-risk environments, restrict installation of untrusted applications and disable sideloading where organizational policy permits.

Patch guidance

Contact your device manufacturer or OEM for the specific security patch addressing CVE-2026-0060 in your Android version. Google releases monthly security bulletins; verify the June 2026 security update and subsequent patches for this fix. Test patches in a non-production environment before broad rollout. Device-specific patch availability and deployment timelines vary significantly; do not assume all devices receive patches simultaneously.

Detection guidance

Monitor system logs for repeated graphicsdriver or ANGLE (Almost Native Graphics Layer Engine) initialization failures. Look for crash reports in the graphics subsystem prior to the device becoming unresponsive. Endpoint detection and response (EDR) tools can flag sustained graphics driver crashes originating from unprivileged processes as potential exploitation attempts. In managed device environments, telemetry from device management platforms may surface unusual graphics subsystem restarts or error frequencies.

Why prioritize this

Although the CVSS score of 5.5 is moderate, the persistent nature of the denial of service and the low barrier to exploitation (local user access, no interaction required) warrant prioritization in environments with shared or multi-user Android devices. Organizations running dedicated or kiosk-mode Android deployments should evaluate exposure carefully. The lack of KEV listing suggests active exploitation is not yet widespread, providing a window for proactive patching before the threat landscape shifts.

Risk score, explained

CVSS 5.5 (Medium) reflects the local-only attack vector, requirement for user-level privileges, and complete loss of availability to the graphics driver (high impact to availability). Confidentiality and integrity are not compromised. The score does not increase to High because exploitation requires pre-existing local access; however, in environments where local access is easily obtainable (shared devices, testing labs), effective risk may be higher than the base score suggests. Organizational risk depends on device deployment topology and user trust model.

Frequently asked questions

Does this vulnerability allow remote code execution or data theft?

No. CVE-2026-0060 is strictly a denial-of-service vulnerability affecting the graphics driver. It does not compromise data confidentiality, enable code execution, or permit privilege escalation. An attacker can crash the graphics subsystem but cannot read files, execute arbitrary code, or gain elevated permissions.

Who is most at risk?

Organizations and individuals managing shared Android devices (corporate kiosks, testing devices, shared tablets) and environments where untrusted applications may be sideloaded face elevated risk. Single-user personal devices are also vulnerable if the user installs a malicious application, but the threat is lower. Users on older, unsupported Android versions unable to receive patches face indefinite exposure.

If I patch today, am I fully protected?

Patching will remediate this specific issue. However, it is one of many vulnerabilities. Maintain a continuous patching cadence with your device manufacturer, keep applications updated, and follow secure device configuration practices (disable sideloading if not required, restrict permissions). No single patch eliminates all risk.

Why is this not on the KEV list if it's a denial-of-service threat?

The KEV (Known Exploited Vulnerabilities) catalog focuses on vulnerabilities actively exploited by adversaries in the wild. CVE-2026-0060 is tracked and patched by vendors, but exploitation in real-world attack campaigns has not yet been documented or reported to CISA. Lack of KEV listing does not mean the vulnerability is unimportant; it indicates current threat activity is limited or unreported.

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not guarantee the completeness or accuracy of vendor patch details or device-specific update availability. Consult official Google Android security bulletins and your device manufacturer's advisory for authoritative patch timelines and affected versions. Always test patches in non-production environments before deployment. This vulnerability analysis is not a substitute for professional security assessment or legal counsel. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).