CVE-2026-0094: Android KeyChain Privilege Escalation via UI Misrepresentation
A flaw in Android's KeyChain component allows a local attacker with user-level privileges to manipulate the certificate approval interface in a way that tricks the system into granting access to certificates without explicit user consent. The vulnerability stems from misleading or incomplete UI messaging in the getApplicationLabel function, enabling privilege escalation entirely through local interaction. No special permissions or user action is required to exploit it once initiated.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-451
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0094 is a local privilege escalation vulnerability in Android's KeyChainActivity.java affecting the getApplicationLabel method. The flaw exploits insufficient or misleading user interface controls that govern certificate access approval. By manipulating the application label presentation, an attacker with local access and standard user privileges can bypass the intended certificate approval workflow, resulting in unauthorized access to cryptographic credentials. The vulnerability is classified as CWE-451 (User Interface (UI) Misrepresentation of Critical Information), indicating a fundamental design flaw in how security-critical decisions are presented to the system.
Business impact
This vulnerability creates a direct path for privilege escalation on Android devices. An attacker who gains local access—whether through a compromised app, physical access, or lateral movement—can extract or abuse device certificates without additional permissions. This undermines the entire certificate-based security model on affected devices, potentially compromising encrypted communications, authentication tokens, and access to corporate or sensitive resources. Organizations relying on Android device security for BYOD or enterprise deployments face elevated risk of credential theft and lateral movement to backend systems.
Affected systems
Google Android systems are affected. The vulnerability resides in the KeyChain framework, a core Android component responsible for managing cryptographic certificates. All versions of Android implementing this vulnerable code path in KeyChainActivity.java are in scope. Consult official Android security advisories and your device's security patch level to determine if your specific Android version and device model are affected.
Exploitability
The vulnerability requires local access to an affected Android device but no additional execution privileges beyond standard user-level permissions. Critically, user interaction is not required for exploitation—the attack can proceed automatically once a local attacker initiates it. The attack surface is relatively accessible because the flaw lies in a standard UI component rather than requiring exploit-specific kernel manipulation or complex multi-step chaining. This combination of low barriers to exploitation and high-impact privilege escalation makes this a practical threat for local attackers.
Remediation
Organizations and users must apply security patches released by Google for their respective Android versions. Patch availability and installation procedures vary by device manufacturer and carrier; consult your device's official security update channel. Until patches are available or deployed, device-level hardening measures—such as restricting app installation sources, disabling unknown sources, and limiting admin privileges—can reduce exposure. Monitor devices for signs of unauthorized certificate access or suspicious app behavior.
Patch guidance
Google has published fixes for this vulnerability; verify the specific patch version applicable to your Android version by consulting the official Android Security & Privacy Year in Review publication and your device manufacturer's security bulletin. Patches are typically released through standard Android security updates; enable automatic security updates and verify successful installation through device Settings > System > System Update history. Device manufacturers may release patches on different timelines; contact your OEM for guidance if patches are unavailable for your specific model.
Detection guidance
Monitor for unauthorized certificate access attempts, unusual KeyChain API calls from unexpected applications, and unexpected privilege escalation events in Android system logs. Security monitoring tools should flag applications requesting certificate access outside of normal application behavior profiles. On managed devices, mobile device management (MDM) solutions can enforce certificate access policies and alert on violations. Review logs for getApplicationLabel function invocations in anomalous contexts or rapid repeated calls that suggest brute-force manipulation attempts.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS score (7.8), local privilege escalation capability without user interaction, and impact on credential security across Android devices. The UI misrepresentation attack vector is difficult for users to detect and defend against without patching. Organizations with Android deployments, particularly in enterprise or sensitive environments, should treat this as urgent and begin patch deployment planning immediately.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: local attack vector (AV:L) limiting immediate remote exploitation but enabling practical attacks from compromised apps or physical access; low attack complexity (AC:L) indicating straightforward exploitation without special conditions; low privileges required (PR:L) allowing standard user accounts to attack; no user interaction needed (UI:N) enabling automatic exploitation; and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The lack of sandbox escape requirements and the fundamental nature of the UI flaw justify the elevated score.
Frequently asked questions
Does this vulnerability affect my Android device?
It depends on your Android version and device model. The vulnerability exists in the KeyChain component across affected Android versions. Check your device's security patch level (Settings > About phone > Android version or Build number) and compare it against your manufacturer's security bulletins. Devices with current security patches are likely protected.
Why is user interaction not required if this is a UI flaw?
The flaw is in how the certificate approval UI presents information, not in a separate user confirmation step. Once an attacker triggers the vulnerable code path, the misleading UI state itself permits the privilege escalation without requiring the user to click, approve, or acknowledge anything further.
Can I be exploited if I only use trusted apps?
A compromised app, app update, or app with hidden malicious behavior could exploit this locally. Additionally, an attacker with physical device access could exploit it. Patching is the most reliable defense; device-level restrictions on app installation sources reduce (but do not eliminate) risk.
What should I do immediately?
Enable automatic security updates if available on your device, check for pending system updates in Settings, and apply them immediately. If your device has reached end-of-life and no patches are available from the manufacturer, consider device replacement or additional security controls such as MDM policy enforcement.
This analysis is provided for informational purposes and does not constitute legal, compliance, or technical advice. Verify all patch versions, affected products, and remediation steps against official vendor advisories before implementation. Testing patches in non-production environments is strongly recommended. Organizations should consult their security teams and device manufacturers for guidance specific to their environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0088HIGHAndroid CertInstaller Privilege Escalation
- CVE-2026-0093HIGHAndroid Local Privilege Escalation via Misleading UI—CVSS 7.8
- CVE-2026-0096HIGHAndroid Local Privilege Escalation in ForgetDeviceDialogFragment
- CVE-2026-10984MEDIUMGoogle Chrome Android UI Spoofing Vulnerability – Medium Severity
- CVE-2026-11001MEDIUMGoogle Chrome UI Spoofing in Payments – Patch Now
- CVE-2026-11019MEDIUMChrome Android Payments Domain Spoofing Vulnerability
- CVE-2019-25718HIGHDräger Infinity Explorer C700 Kiosk Escape Privilege Escalation
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure