HIGH 7.8

CVE-2026-0077: Android ActivityRecord Privilege Escalation Vulnerability

CVE-2026-0077 is a privilege escalation vulnerability in Android's ActivityRecord component that allows a local attacker with limited user privileges to launch background applications and gain elevated system access. The flaw stems from a logic error in the resumeConfigurationDispatch function that fails to properly validate or constrain application launch permissions. No special privileges or user interaction are required for exploitation, making this a straightforward attack vector for any app running on an affected device.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-693
Affected products
3 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in ActivityRecord.java's resumeConfigurationDispatch method due to a logic error that permits improper background application launch (BAL) behavior. The flaw enables local privilege escalation through a path that requires only standard user-level privileges (PR:L), with no additional execution context needed. The attack surface is low-complexity (AC:L) and confined to the local system (AV:L), affecting the confidentiality, integrity, and availability of the device.

Business impact

Organizations deploying Android devices—whether company-owned or BYOD—face elevated risk of unauthorized privilege escalation on vulnerable handsets. A compromised app could escalate to system-level permissions, potentially exfiltrating sensitive corporate data, installing persistent backdoors, or disrupting device functionality. For enterprises relying on Android Mobile Device Management (MDM) controls, this vulnerability could undermine the containment assumptions of sandboxed app isolation, necessitating urgent patching cycles and post-breach forensics.

Affected systems

Google Android is affected by this vulnerability. The severity and scope of specific version coverage should be verified against Google's official security bulletins and Android Security & Privacy Year in Review advisories, as patch deployment varies across device manufacturers and carriers. Organizations should cross-reference their device inventory against Google's published patch guidance to identify affected models and timelines.

Exploitability

This vulnerability presents high exploitability risk due to its attack profile: local access only (standard requirement for installed apps), low complexity, and no special execution privileges needed. Critically, user interaction is not required—an app can trigger the vulnerability autonomously. However, it does require the attacker to already have code execution on the device (e.g., as a malicious or compromised app). This limits opportunistic exploitation but makes it a prime post-compromise escalation vector and a significant concern for malware distribution ecosystems.

Remediation

Apply the security patch issued by Google for your Android version and device model. Patch availability and timelines depend on device manufacturer partnership and carrier approval—flagship devices typically receive updates faster than budget or older models. Pending patch availability, enforce strict app distribution controls (e.g., managed Google Play, app allowlisting), disable sideloading where operationally feasible, and monitor for suspicious privilege escalation behavior via MDM telemetry.

Patch guidance

Monitor Google's Android Security & Privacy Bulletin and your device manufacturer's security updates for the patch addressing resumeConfigurationDispatch. Verify patch availability for your specific Android version and device model before committing to a deployment timeline. Coordinate with your mobile device management platform to schedule staged rollouts, prioritizing devices with high-risk user profiles (e.g., finance, executive, customer service roles). Test patch compatibility with critical business apps in a staging environment before wide deployment.

Detection guidance

Monitor system logs for unusual background application launches initiated by non-system processes, particularly from apps with limited declared permissions. Check for unexpected privilege escalation in audit logs (e.g., capability gain, UID transitions). Mobile threat defense solutions should flag anomalous inter-process communication (IPC) patterns that suggest ActivityRecord manipulation. Review app inventory to identify potentially malicious or compromised applications that may be exploiting this path. Endpoint Detection and Response (EDR) agents on Android should flag suspicious dalvik execution patterns.

Why prioritize this

With a CVSS score of 7.8 (HIGH) and a privilege escalation attack chain requiring only low complexity and user-level entry, this vulnerability warrants urgent prioritization. The absence of user interaction requirement and the fundamental nature of the flaw in the app lifecycle management system elevate risk. Although not yet tracked in public exploit databases (KEV status: false), the straightforward attack pattern makes rapid weaponization likely once patches are available for comparison. Enterprises should treat this as a critical priority for remediation.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects the combination of local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures a dangerous privilege escalation vector that could fully compromise device security, though the attack does require initial local code execution context. The unchanged scope (S:U) indicates impact is limited to the vulnerable device.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. This is a local-only vulnerability (AV:L) requiring code execution already present on the device. An attacker cannot trigger it over the network directly, but a remotely-delivered malware payload could exploit it post-installation.

Do I need to update every Android device?

Patch availability depends on your device manufacturer and carrier. Flagship devices and recent models typically receive updates sooner. Check Google's security bulletins and your device manufacturer's website for guidance specific to your model and Android version.

Can this be exploited by any installed app?

Potentially yes, if the app has baseline permissions needed to invoke the vulnerable code path. Apps do not need special privileges (PR:L means standard app privileges suffice), making this a broad escalation risk for compromised or malicious apps already present on a device.

What should I do while waiting for a patch?

Prioritize enforcement of app distribution controls (managed Google Play, app allowlisting), disable sideloading, and reduce the number of third-party apps installed on corporate devices. Review app permissions and uninstall any untrusted applications. Monitor for signs of device compromise via your MDM platform.

This analysis is based on the CVE record published as of the date indicated and public information available at time of writing. Specific patch version numbers, affected Android versions, and timeline availability have not been independently verified and should be confirmed against Google's official Android Security Bulletin and device manufacturer advisories. Exploit details, weaponization status, or real-world campaign activity may emerge after publication; follow vendor updates and threat intelligence feeds for the latest information. This content is for informational purposes and does not constitute professional security advice; organizations should conduct their own risk assessment and coordinate patching with their security and operations teams. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).