CVE-2026-0086: Android DisableSupervisionActivity Privilege Escalation via Null Check Bypass
A vulnerability in Android's DisableSupervisionActivity allows an attacker to delete supervision data on a device by exploiting a missing null check in the onCreate method. This flaw enables local privilege escalation without requiring any special permissions or user interaction, meaning the exploit could trigger automatically during normal device operation. The vulnerability affects multiple Android versions and has a medium severity rating.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-269
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0086 is rooted in insufficient input validation in DisableSupervisionActivity.kt's onCreate lifecycle method. The missing null check allows an attacker to manipulate supervision-related data structures, leading to unauthorized deletion of supervision records. The vulnerability maps to CWE-269 (Improper Access Control) and is exploitable via local attack vectors with no additional privileges required. The CVSS 3.1 vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects the local-only attack surface, low attack complexity, high confidentiality impact from data access, and limited integrity impact from deletion.
Business impact
For organizations managing Android devices at scale, this vulnerability poses a risk to mobile device management (MDM) and parental control enforcement. Supervision data deletion undermines device governance policies, potentially allowing users to bypass restrictions or monitoring controls. While the local-only nature limits attack surface, the absence of privilege requirements means any user account on a device could exploit it, making this a particular concern for shared or enterprise-managed Android deployments where supervision policies are business-critical.
Affected systems
This vulnerability affects Google Android across multiple versions. Verification of specific affected version ranges and patch availability should be confirmed against Google's official Android Security & Privacy Year in Review or Android Bulletin announcements. Organizations running Android devices should check their current OS versions against Google's published remediation guidance.
Exploitability
Exploitation requires only local access to an affected Android device—no network connectivity, elevated privileges, or user interaction is necessary. An attacker with shell access or ability to trigger onCreate in DisableSupervisionActivity can immediately invoke the vulnerability. This low barrier to exploitation makes it a credible risk in scenarios where devices are physically accessible or compromise is suspected. However, the lack of CISA KEV (Known Exploited Vulnerability) listing as of the source data indicates no widespread active exploitation campaign has been documented at publication.
Remediation
Apply the security patch released by Google for affected Android versions. The fix involves adding proper null checking logic in DisableSupervisionActivity.kt's onCreate method to validate supervision data before attempting deletion. Users should prioritize patching, especially in environments where device supervision and MDM policies are enforced. Verify specific patch version numbers and applicability to your Android build against Google's official advisory.
Patch guidance
Monitor Google's Android Security & Privacy announcements for the specific patch version addressing CVE-2026-0086. Patches are typically released as monthly security updates or emergency releases depending on severity. For enterprise environments, coordinate MDM deployment of the patched OS version to affected device cohorts. Test the patch in a staging environment before broad rollout to ensure compatibility with critical enterprise apps and MDM profiles.
Detection guidance
Look for unexpected calls to DisableSupervisionActivity or attempts to manipulate supervision-related database tables without administrative action. On Android 12+, enable and monitor Activity Manager logs for onCreate exceptions in the DisableSupervisionActivity component. File integrity monitoring on system directories containing supervision data, combined with application audit logs, can reveal unauthorized modifications. Endpoint detection and response (EDR) solutions capable of Android monitoring should be configured to alert on supervision data access anomalies.
Why prioritize this
Despite a CVSS score of 6.8 (MEDIUM), prioritization depends on organizational risk profile. Organizations heavily reliant on Android supervision—including MDM deployments, parental control systems, or kiosk mode enforcement—should treat this with urgency due to the direct threat to policy enforcement. The low attack complexity and lack of privilege requirements compound the risk even at medium severity. Conversely, organizations with minimal Android governance requirements may apply patches on a standard cycle.
Risk score, explained
The CVSS 3.1 score of 6.8 reflects a local-only attack vector with no special privileges or user interaction required (AV:L/AC:L/PR:N/UI:N). High confidentiality impact (C:H) results from potential access to sensitive supervision records. Limited integrity impact (I:L) stems from deletion capability without full system compromise. Availability is unaffected (A:N). The score appropriately captures a meaningful but not critical privilege escalation vector restricted to local access.
Frequently asked questions
Can this be exploited remotely or only locally?
Only locally. The attack vector requires direct access to the affected device. Remote exploitation is not possible with this vulnerability.
Do I need special Android permissions to exploit this?
No. The vulnerability requires no special permissions (PR:N in the CVSS vector), meaning any user account on the device can trigger the exploit.
Is this vulnerability being actively exploited in the wild?
As of the source data, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented widespread active exploitation. However, absence from KEV does not guarantee future safety—patches should still be prioritized.
How does this affect my enterprise MDM deployment?
If your organization relies on Android supervision to enforce policies or monitoring, exploitation allows users to delete supervision records and potentially bypass restrictions. Patching affected devices is critical to maintaining policy enforcement.
This analysis is based on published vulnerability data as of June 2026. Specific affected Android versions, patch availability, and remediation timelines should be verified against official Google Android Security & Privacy advisories. CVSS scores and severity assessments are provided for risk contextualization and should not be used as the sole basis for patch prioritization. Organizations should conduct internal risk assessments aligned with their Android deployment scope and supervision requirements. No exploit code or detailed attack steps are provided in this advisory. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation
- CVE-2026-0091HIGHAndroid Launcher Privilege Escalation Vulnerability (CVSS 7.8)