CVE-2026-0098: Android Confused Deputy Privilege Escalation – Activity Start Bypass
CVE-2026-0098 is a local privilege escalation vulnerability in Android's package-calling logic that allows a malicious app to bypass restrictions on which activities it can start. The flaw stems from a confused deputy problem—the system incorrectly trusts the calling context of an app requesting activity launches. An attacker with a local app installation can exploit this without special permissions or user interaction to gain elevated privileges, potentially accessing sensitive device functions or data reserved for system components.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-441
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the getCallingPackageName method within Shared.java, affecting Android's activity launch validation framework. A confused deputy condition permits an unprivileged app to spoof or manipulate the caller identity used in permission checks. By crafting a request that misrepresents the calling package, an attacker can trigger activity starts that the system would normally block. This bypasses activity start restrictions (a core isolation boundary in Android) and enables privilege escalation from an app's baseline permissions to capabilities it should not possess. The attack vector is local (on-device) and requires no additional execution privileges or user acknowledgment, making it reliably exploitable by installed malware or a compromised legitimate app.
Business impact
This vulnerability poses a significant risk to device security and user privacy. An attacker exploiting CVE-2026-0098 could gain access to restricted system features—such as sensitive settings, call handling, or device administration capabilities—that would normally be unavailable to third-party apps. Enterprises managing Android fleets face potential data exfiltration, unauthorized configuration changes, or lateral movement within the device ecosystem. Device makers and carriers must prioritize patching to prevent widespread exploitation by APT groups or commodity malware that adapts to abuse this flaw.
Affected systems
This vulnerability affects multiple Android versions published by Google. The exact version boundaries and affected build levels should be verified against Google's official security advisory. Historically, such confused deputy issues in core Android frameworks impact a broad range of devices across manufacturers, as the flaw exists in shared Android Open Source Project (AOSP) code. Any Android device running an unpatched version is potentially vulnerable.
Exploitability
Exploitability is high. The attack requires no special permissions beyond basic app installation, no user interaction, and succeeds on the first attempt given the right conditions. An attacker does not need to compromise the device or gain shell access beforehand—a malicious or compromised app with minimal permissions can trigger the escalation locally. The confused deputy pattern is a well-understood attack class, and exploitation techniques are straightforward for a skilled adversary. No KEV (Known Exploited Vulnerability) listing is currently recorded, but the simplicity of the attack surface makes weaponization likely if detailed technical analysis becomes public.
Remediation
The primary remediation is to apply the Android security patch released by Google addressing this issue. Device manufacturers and carriers should prioritize the rollout of patched builds to all affected models. Users should enable automatic system updates and verify their device's security patch level is current. In the interim, security controls such as app allowlisting, disabling installation from untrusted sources, and monitoring for unusual activity can reduce exposure. Developers should review their own use of getCallingPackageName and related APIs to ensure they perform additional validation beyond package identity.
Patch guidance
Consult Google's official Android Security & Privacy Year-End Report and monthly security bulletin to identify the specific patch versions and affected devices. Patches are typically distributed through over-the-air (OTA) updates; enable automatic updates on all Android devices. Verify patch status via Settings > About Phone > Security patch level (or equivalent). Device manufacturers may lag in delivering patches—contact your OEM directly if a device remains unpatched 30 days after the CVE publication. Test patches in staging environments before broad rollout to ensure no regressions with internal apps or enterprise MDM tooling.
Detection guidance
Monitor for apps that attempt to launch restricted activities or access privileged system services without the corresponding manifest permissions. Endpoint Detection and Response (EDR) or Mobile Threat Defense (MTD) solutions can flag attempts to invoke protected intents or deprecated/privileged APIs. Review device logs for unexpected activity start events; escalation attacks often trigger permission denial logs followed by successful calls through alternate channels. Behavioral analytics may detect apps exhibiting out-of-profile capability usage—for example, a social media app suddenly accessing device administration features. If available, enable audit logging in your MDM console to track system API calls on managed devices.
Why prioritize this
This vulnerability merits immediate prioritization due to the combination of high CVSS score (7.8), local attack vector, zero user interaction requirement, and the critical nature of activity start restrictions as an Android isolation boundary. The confused deputy pattern enables privilege escalation with minimal effort, creating risk for both consumer and enterprise devices. Although not yet on the KEV list, the simplicity of exploitation and broad impact on Android ecosystem justify urgent patching campaigns.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: (1) Local attack vector—attacker must be on the device, limiting initial access but not remediation urgency given app-based threats; (2) Low attack complexity—no special conditions or race conditions needed; (3) Low privilege requirement—attacker needs only basic app permissions; (4) No user interaction—exploit succeeds automatically; (5) Confidentiality, Integrity, and Availability impact all marked High—successful exploitation grants access to sensitive data, system configuration, and potentially causes denial of service. The score appropriately emphasizes the severity while accounting for the local-only nature.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-0098 is a local privilege escalation; the attacker must already have an app installed or code execution on the device. Remote exploitation is not possible via this vector alone. However, an attacker could combine this flaw with a remote code execution bug to achieve end-to-end compromise.
Do I need special developer permissions to exploit this?
No. A standard Android app with minimal or no special permissions can trigger the confused deputy condition. This makes it extremely dangerous; even a seemingly benign app could abuse this flaw for privilege escalation.
What is a confused deputy, and why is it a problem here?
A confused deputy occurs when a trusted component (the 'deputy') misuses its own elevated privileges based on untrusted input from a less privileged party. In this case, the system package-calling logic trusts the caller identity reported by the getCallingPackageName method without sufficient validation, allowing an attacker to spoof its own package identity and bypass activity launch restrictions intended to isolate different security domains.
How quickly should we patch?
Immediately, if patches are available for your device model. Given the high severity, zero user interaction requirement, and ease of exploitation, this should be treated as an urgent patch within 7–14 days if possible. If patches are not yet available from your OEM, request an ETA and escalate internally; plan interim mitigations such as app vetting and behavioral monitoring.
This analysis is provided for informational purposes by SEC.co to assist security decision-making. Information is derived from the published CVE record and CVSS vector; additional details should be verified against Google's official Android Security & Privacy bulletins. Patch availability, timelines, and affected device lists vary by manufacturer and carrier. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this content. Always test patches in non-production environments before broad deployment. Consult your device manufacturer or Google directly for device-specific remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-48570HIGHAndroid PipTaskOrganizer Privilege Escalation Vulnerability
- CVE-2026-36608HIGHMercusys AC12G UPnP Port Forwarding Admin Exposure Vulnerability
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2025-48649HIGHAndroid Local Privilege Escalation via Permission Bypass
- CVE-2025-48652HIGHAndroid MDM Bypass Logic Flaw – HIGH Severity Privilege Escalation