CVE-2026-28577: Android WindowManagerService Tapjacking Vulnerability – Local Privilege Escalation
A vulnerability in Android's window management system allows a locally authenticated attacker to perform a tapjacking attack—placing hidden overlay windows on top of legitimate applications to intercept user input or actions. This attack doesn't require user interaction to trigger and can result in unauthorized privilege escalation. The attacker needs only local access to the device (such as through an installed app), making it a practical threat in real-world scenarios.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-1021
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-28577 exists in the addWindow method of WindowManagerService.java, a core Android system service responsible for managing application windows and UI layers. The vulnerability stems from insufficient validation of window overlay permissions or improper enforcement of window stacking rules, enabling an attacker to create transparent or hidden windows that sit above legitimate application windows. Because the Android permissions model trusts installed applications, an app with basic window-creation permissions can exploit this flaw to intercept touch events or spoof UI elements without triggering user warnings. The attack vector is local and requires low privilege (a standard app can trigger it), with no additional execution context needed.
Business impact
Organizations deploying Android devices in security-sensitive roles face elevated risk of credential theft, fraudulent transactions, and unauthorized data exfiltration. An attacker can silently capture login credentials, intercept sensitive gestures (such as payment confirmations), or perform actions on behalf of the user—all while the legitimate application remains visible on screen. This is particularly damaging for enterprises using Android for mobile banking, healthcare records, or sensitive communication. The lack of a user-interaction requirement means attacks can occur automatically upon device compromise, making detection and prevention harder. Downstream impacts include loss of user trust, potential compliance violations (HIPAA, PCI-DSS, GDPR depending on data handled), and incident response costs.
Affected systems
Google Android devices across multiple versions are affected. The vulnerability applies to the core Android operating system where the WindowManagerService component runs; this affects all Android phones, tablets, and other devices running vulnerable Android releases. Given that the source data lists six Android entries (likely representing multiple affected versions or build branches), organizations should treat this as a broad, ecosystem-wide issue rather than a narrow version-specific problem. Verify the exact Android version ranges with Google's official security bulletins or Android Security & Privacy Year in Review documentation.
Exploitability
This vulnerability is highly exploitable. An attacker needs only local access (achieved by tricking a user into installing a malicious app, or through an already-compromised device) and standard application permissions. The attack requires no user interaction—it runs silently in the background—and yields direct privilege escalation within the Android permission model. No CVSS exploit complexity penalty applies (AC:L), indicating straightforward technical execution. The tapjacking technique is well-understood in security research, and once patched versions are identified, bypass or adaptation attempts will likely emerge. The fact that the vulnerability was not added to CISA's Known Exploited Vulnerabilities (KEV) catalog at publication does not diminish its risk; it may reflect limited public disclosure of in-the-wild exploitation at the time of your assessment.
Remediation
Patch Android to the version released by Google that addresses CVE-2026-28577. Contact your device manufacturer (Samsung, OnePlus, etc.) or carrier for rollout timelines, as OEM validation may delay deployment. Android enterprise customers should validate patches in a staging environment before broad rollout. Until patches are deployed, mitigate risk by restricting app installation permissions (disable sideloading of unknown apps), using Mobile Device Management (MDM) to enforce app allowlists, and educating users to install apps only from official Google Play with security reviews enabled. Apps with unusual permission requests should be reviewed; however, this vulnerability may not trigger prominent permission warnings due to its reliance on standard windowing permissions.
Patch guidance
Google will issue a fix through monthly Android Security & Maintenance Releases (ASMR). Verify patch availability by checking Google's official Android Security & Privacy bulletin for June 2026 or later. Device manufacturers and carriers will backport patches to supported device models and Android versions (typically two to three years of support, depending on OEM commitment). To implement: (1) Enroll devices in automatic system update checks where possible; (2) Test patches on a limited device cohort in your organization before full rollout; (3) Prioritize critical devices (those handling banking, healthcare, or sensitive operations) for early patching; (4) Log all patch deployment events for compliance auditing. Work with your MDM provider to automate update enforcement and reporting.
Detection guidance
Detection is challenging because the attack occurs within the window management layer and may not generate obvious user-visible artifacts. Consider: (1) Monitoring device logs for unusual WindowManagerService exceptions or permission denials (requires vendor cooperation or enterprise MDM solutions); (2) Behavioral analysis: look for apps that obtain window permissions but lack visual UI (e.g., background services requesting SYSTEM_ALERT_WINDOW or similar permissions); (3) User education: encourage reporting of unexpected UI behavior (unusual overlay messages, unresponsive buttons); (4) Network-based detection: monitor for anomalous authentication failures, transaction reversals, or credential submissions from android user-agent strings in unusual patterns. Note that advanced attackers may spoof logs, so detection is not foolproof without vendor-provided hardened logging.
Why prioritize this
Assign this HIGH-priority remediation based on the CVSS 7.8 score and the combination of three factors: (1) Local privilege escalation capability—attackers gaining app-level access can escalate to higher privileges; (2) No user interaction required—the attack is autonomous and persistent; (3) High confidentiality, integrity, and availability impact (C:H, I:H, A:H per CVSS vector), meaning successful exploitation compromises all three security goals. For organizations with mobile-first operations or BYOD policies, this approaches CRITICAL severity in terms of business risk, even though the base CVSS is HIGH. Prioritize patching within your security SLA for high-risk vulnerabilities (target: 30–60 days for critical infrastructure or financial services; 90 days for general enterprise).
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: Attack Vector = Local (AV:L, restricting to device-local attackers), Attack Complexity = Low (AC:L, the technique is straightforward), Privileges Required = Low (PR:L, a standard user with an installed app can trigger it), User Interaction = None (UI:N, exploitation is automatic), Scope = Unchanged (S:U, impact is within the Android security boundary), and full compromise of Confidentiality, Integrity, and Availability (C:H, I:H, A:H). The score appropriately reflects the balance: local scope limits maximum severity, but the absence of complexity and user interaction, combined with complete system compromise, elevates it to HIGH. Business context may warrant treating this as critical for organization-specific risk models if mobile devices handle sensitive operations.
Frequently asked questions
Can this vulnerability be exploited remotely without installing an app?
No. CVE-2026-28577 is a local vulnerability (AV:L). An attacker must either achieve local code execution on the device (via another vulnerability, physical access, or compromised supply chain) or trick a user into installing a malicious app. It cannot be exploited over the network from an attacker's remote machine.
Does Android's official app store protect us from this vulnerability?
Partially. Google Play's security scanning may catch obvious malicious apps, but sophisticated attackers can hide the window overlay behavior from static analysis or use legitimate-appearing functionality as a wrapper. Apps with the required permissions will pass store review. Defense-in-depth is essential: use MDM to further restrict permissions, educate users, and prioritize patching.
Do I need to issue a company-wide alert for this vulnerability?
Yes, if your organization has Android devices handling sensitive functions (mobile banking, healthcare, corporate email, etc.). Alert end-users to avoid sideloading apps and to accept system updates promptly. IT/Security teams should immediately assess coverage in your environment and begin patch planning with device manufacturers and MDM providers.
How does this differ from a typical Android security vulnerability?
Most Android vulnerabilities require either remote attack or explicit user action (clicking a link, opening a file). CVE-2026-28577 is particularly concerning because it's local-only but fully autonomous—once a compromised app is installed, the attack runs silently without further user involvement. This makes it harder to detect and respond to in real time.
This analysis is based on disclosed vulnerability information as of the publication date and is intended for cybersecurity professionals. Patch versions, exact affected version ranges, and availability timelines must be verified against Google's official Android Security & Maintenance Release bulletins and your device manufacturer's security advisories. SEC.co provides this information for risk assessment and planning purposes only. No guarantee is made regarding the accuracy, completeness, or applicability to your specific environment. Always conduct your own testing and validation before deploying patches or security controls. If you develop mitigations or detection signatures, test them thoroughly in isolated environments first. Consult your legal and compliance teams regarding disclosure, incident response, and regulatory obligations related to this or any vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0036HIGHAndroid StageCoordinator Tapjacking Privilege Escalation (CVSS 7.8 HIGH)
- CVE-2026-0061MEDIUMAndroid WindowState Tapjacking Vulnerability – Permission Escalation Risk
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2025-48570HIGHAndroid PipTaskOrganizer Privilege Escalation Vulnerability
- CVE-2025-48649HIGHAndroid Local Privilege Escalation via Permission Bypass