CVE-2026-0091: Android Launcher Privilege Escalation Vulnerability (CVSS 7.8)
A privilege escalation vulnerability exists in Android where an over-privileged shell user can execute arbitrary code within the launcher process. An attacker with local access can exploit this weakness to gain elevated privileges without needing special execution rights or user interaction. This is a local-only threat that targets the core launcher functionality central to Android's user interface and app management.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-269
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0091 stems from improper privilege management (CWE-269) affecting the Android launcher process across multiple code locations. The vulnerability allows a process running as the shell user to execute code in the launcher's execution context, effectively bypassing privilege boundaries. The CVSS 3.1 score of 7.8 (HIGH) reflects the local attack vector, low complexity, requirement for local privileges, and the complete compromise of confidentiality, integrity, and availability within the affected process scope.
Business impact
Successful exploitation could allow a compromised or malicious local application to escalate privileges and gain control over core Android system functionality. This threatens the integrity of the device's app ecosystem, user data privacy, and system stability. Organizations managing Android devices—particularly enterprises deploying company phones or tablets—face increased risk if this vulnerability remains unpatched, especially in environments where threat actors have already achieved initial local access.
Affected systems
Google Android is affected across multiple versions and configurations. The vulnerability resides in multiple locations within the codebase, suggesting widespread exposure across Android releases. Verify the specific Android versions and security patch levels impacted by consulting Google's official security advisory and your device manufacturer's update schedule.
Exploitability
The vulnerability requires local access but no additional execution privileges beyond standard user-level permissions. No user interaction is needed for successful exploitation, meaning an attacker with shell-level access can trigger code execution immediately. This lowers the practical barrier to exploitation compared to vulnerabilities requiring social engineering or user action. However, the requirement for existing local access does restrict opportunistic remote exploitation scenarios.
Remediation
Apply security patches released by Google and your device manufacturer as soon as they become available. Patches will address the privilege boundary issue in the launcher process. Monitor your device's security patch level and ensure automatic updates are enabled where policy permits. Organizations should prioritize deployment in environments where local threat actors or untrusted applications pose elevated risk.
Patch guidance
Check Google's official Android security bulletin for CVE-2026-0091 to identify patched versions and affected branches. Device manufacturers including Samsung, OnePlus, and others will release patches through their respective channels; consult your device manufacturer's support page for specific timelines. Apply patches systematically to your fleet and verify successful deployment, as launcher functionality affects all users.
Detection guidance
Monitor for unusual process execution within the launcher process or unexpected privilege escalations originating from shell user context. On managed devices, enable security logging to capture launcher process anomalies. Look for application manifests requesting elevated permissions or targeting launcher-specific functionality. Endpoint detection and response (EDR) solutions should flag attempts to write to or execute from launcher process memory.
Why prioritize this
Though CVE-2026-0091 is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the high CVSS score (7.8), local exploitation ease, and critical role of the launcher process in Android functionality warrant prioritization. Organizations with high-risk device populations or strict compliance requirements should treat this as urgent; mainstream deployments should schedule patching within normal cycles but prioritize over lower-severity issues.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: (1) local attack vector—requires device access but common in lost/stolen or compromised device scenarios; (2) low attack complexity—no special conditions needed; (3) low privilege requirement—shell user access is standard; (4) no user interaction; and (5) complete impact across confidentiality, integrity, and availability within the launcher process scope. The score does not reflect potential for lateral movement or system-wide compromise, which are possible but context-dependent.
Frequently asked questions
Does this vulnerability affect my Android phone or tablet?
Yes, if your device runs a vulnerable Android version. Check your device's security patch level in Settings > About phone > Android security patch level. Compare against Google's official security bulletin for CVE-2026-0091 to confirm coverage. Manufacturers may release patches on different schedules, so verify with your device maker's support page.
Can this be exploited remotely, or only locally?
Only locally. An attacker must already have local access to your device (e.g., via a compromised app, physical access, or a prior vulnerability). It cannot be exploited over a network directly. However, local access combined with this vulnerability creates a pathway to system privilege escalation.
What should I do if a patch isn't available for my device yet?
Enable automatic security updates if available. Restrict installation of untrusted applications and monitor app permissions carefully. Consider device usage patterns—if your device handles sensitive work, limit local exposure until a patch is available. Contact your device manufacturer to inquire about patch timelines.
Is this being actively exploited in the wild?
As of the vulnerability publication date (June 2026), no active exploitation has been reported in CISA's KEV catalog. However, the relative ease of local exploitation means defensive measures should not be delayed pending evidence of wild exploitation.
This analysis is based on public vulnerability data current as of June 2026. Specific patch versions, affected Android releases, and manufacturer timelines should be verified against official Google Android security advisories and device manufacturer security updates. No exploit code or weaponized techniques are provided. This content is for informational purposes to support security decision-making and should not be treated as a substitute for vendor advisories or legal compliance guidance. SEC.co recommends consulting your organization's security team and vendor contacts for deployment-specific risk assessments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass