CVE-2026-0061: Android WindowState Tapjacking Vulnerability – Permission Escalation Risk
CVE-2026-0061 is a privilege escalation vulnerability in Android's WindowState component that allows an attacker to manipulate the permission-granting UI through overlay attacks (tapjacking). By displaying a malicious overlay on top of the system permission dialog, an attacker can trick users into granting sensitive permissions without explicit awareness. The critical aspect is that this requires no special execution privileges and no user interaction in the traditional sense—the attack succeeds through visual deception rather than social engineering or code execution exploits.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-1021
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in multiple functions within WindowState.java where insufficient validation of UI overlay layers permits a malicious application to render content atop the system permission request interface. An attacker can position a transparent or visually deceptive overlay that captures or redirects user touches intended for the permission dialog, effectively tricking the system into granting permissions. This is classified as a CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) issue. The CVSS score of 5.9 reflects local attack vector, low complexity, no privilege requirement, and impacts on confidentiality, integrity, and availability within a single user context.
Business impact
A successful exploitation allows unprivileged applications to escalate their capabilities by obtaining permissions they should not have—such as camera, microphone, location, or contacts access—without proper user consent. This threatens user privacy (unauthorized surveillance or data exfiltration), data integrity (unauthorized modifications), and operational security. Enterprise deployments face risk of employee devices being compromised to exfiltrate sensitive corporate data or enable targeted surveillance. The attack is particularly dangerous because it bypasses Android's permission model, which is a foundational security boundary.
Affected systems
The vulnerability affects multiple versions of Google Android across the identified product entries. Organizations relying on Android devices should consult Google's security bulletin and patch release notes to determine exact version ranges affected. Typically such WindowState issues span multiple API levels and device configurations. Verification of your specific Android versions against the official advisory is essential.
Exploitability
While not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the attack is technically straightforward: an attacker distributes a malicious app that runs in the background, monitors for permission dialogs, and overlays a deceptive UI. The CVSS vector indicates no user interaction is required in the sense that the attack executes automatically once the app is installed and a permission prompt appears. However, the initial app installation still requires user action (a pre-condition outside the vulnerability scope itself). The local-only attack vector limits exposure to devices where the malicious application can be installed.
Remediation
Primary remediation is applying Google's security patches for Android as they become available. Users and administrators should prioritize patching across their Android device fleet. Concurrent mitigations include restricting installation of untrusted apps via Google Play Protect, disabling installation from unknown sources, and using Mobile Device Management (MDM) to enforce strict app policies. Code-level, this requires hardening WindowState UI validation to detect and reject overlay attempts on system permission dialogs.
Patch guidance
Monitor Google's monthly Android security bulletin for patches addressing CVE-2026-0061. Patches are typically released via Google Play System Update or device manufacturer OTA updates depending on the Android version and device model. Organizations should test patches in a controlled environment before broad deployment. Prioritize devices that handle sensitive corporate data or are used in high-security contexts. Verify patch version numbers against Google's official security advisory before deployment.
Detection guidance
Detection is challenging at runtime because the attack occurs within the UI layer. Behavioral indicators include: unusual permission grants after a brief permission dialog display, app install logs followed by unexpected permission grants, and anomalous background process activity concurrent with permission prompts. MDM solutions can monitor for suspicious app installations and permission patterns. Forensic analysis of compromised devices should focus on app installation timestamps and permission grant logs to correlate malicious app presence with privilege escalation events.
Why prioritize this
Although rated MEDIUM severity, the practical risk is elevated due to the attack's invisibility to end users and its bypass of Android's core permission model. Organizations with users handling sensitive data, intellectual property, or regulated information (healthcare, finance, legal) should prioritize patching. The lack of KEV listing suggests active exploitation may not yet be widespread, providing a window for proactive patching before adversaries adopt this technique at scale.
Risk score, explained
The CVSS 5.9 MEDIUM score reflects the local-only attack vector (AV:L), which limits exposure to installed apps; low attack complexity (AC:L); no privilege requirement (PR:N); and impacts across confidentiality, integrity, and availability (C:L/I:L/A:L). However, the real-world risk is higher because the vulnerability completely bypasses a security model users rely on, and the exploitation is automated once an app is installed. Organizations should treat this as higher priority than the numeric score alone suggests.
Frequently asked questions
Can this vulnerability be exploited remotely or only locally?
Exploitation is local only (AV:L in the CVSS vector). An attacker must first get a malicious application installed on the target device. However, once installed, no further user interaction is needed to trigger the overlay attack.
Does this affect all Android devices equally?
Exposure depends on the Android version running on the device. Consult Google's security bulletin for the exact affected Android versions and API levels. Device manufacturers may release patches on different timelines depending on their update process.
What permissions are most at risk from this attack?
Any permission that triggers a system dialog is at risk—camera, microphone, location, contacts, photos, and calendar access are common targets. The specific permissions depend on the malicious app's objectives.
If I have Google Play Protect enabled, am I protected?
Google Play Protect provides app scanning and can detect known malicious apps, but determined attackers may use obfuscation or novel malware to evade detection. Play Protect is a helpful layer but not a complete defense; patching is essential.
This analysis is based on publicly available vulnerability data current as of the source publication dates. Organizations must verify patch version numbers and affected product versions against official Google Android security advisories before deployment. No exploit code or weaponized proof-of-concept is provided. The technical details and risk assessment are for authorized security and IT personnel; this information should not be used for malicious purposes. CVE-2026-0061 is referenced for informational purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0036HIGHAndroid StageCoordinator Tapjacking Privilege Escalation (CVSS 7.8 HIGH)
- CVE-2026-28577HIGHAndroid WindowManagerService Tapjacking Vulnerability – Local Privilege Escalation
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0039MEDIUMAndroid Integer Overflow Denial of Service Vulnerability
- CVE-2026-0040MEDIUMAndroid ubsan_throwing_runtime Integer Overflow DoS Vulnerability
- CVE-2026-0041MEDIUMAndroid UBSan Integer Overflow Remote Denial of Service
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service