Skip to main content

Google Android CVE-2026-0063

| EUVDEUVD-2026-37575 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local attack via an installed app (AV:L, PR:L, UI:N); logic error reliably triggered (AC:L); integrity of carrier-restriction state is broken (I:H) with no confidentiality or availability impact and no scope change.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:29 vuln.today
CVE Published
Jun 17, 2026 - 07:24 cve.org
CRITICAL 10.0

DescriptionCVE.org

In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android's telephony subsystem (PhoneInterfaceManager) allows attackers to disable carrier restrictions without any user interaction or additional execution privileges. The flaw stems from a logic error in the setAllowedCarriers handler and is addressed in the Android Security Bulletin for Android 17. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install unprivileged app on device
Delivery
Obtain ITelephony Binder handle
Exploit
Call setAllowedCarriers with crafted input
Execution
Trigger logic-error authorization bypass
Impact
Carrier restrictions cleared on device

Vulnerability AssessmentAI

Exploitation Attacker must be able to run unprivileged code locally on the Android device - i.e., have a locally installed app (any app, including one with no special permissions) that can reach the PhoneInterfaceManager Binder interface and call setAllowedCarriers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with H impact on both vulnerable and subsequent systems) and the 10.0 score are inconsistent with the description, which explicitly says 'local escalation of privilege' - a local attacker on an Android device, not a network-reachable attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or trojanized app installed on an Android device (e.g., via sideloading or a Play Store abuse) invokes the telephony manager's setAllowedCarriers path and exploits the logic error to clear the carrier-restriction list, effectively unlocking a carrier-locked or subsidized device without root or user interaction. The unlocked device can then be resold or moved to another carrier, defeating subsidy-lock business controls; no public POC has been referenced in the available data.
Remediation Patch available per vendor advisory: apply the Android Security Bulletin for Android 17 (https://source.android.com/docs/security/bulletin/android-17) by updating to a security patch level that includes the fix to PhoneInterfaceManager.setAllowedCarriers. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Android 17 devices in deployment; document carrier restriction configurations and baseline access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy