Skip to main content

Google Android CVE-2026-0086

| EUVDEUVD-2026-33798 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-vgqp-c67c-r79g
6.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.8 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 17:29 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
6.8 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.8
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android 16-QPR2 enables an unprivileged local actor to delete device supervision data by exploiting a missing null check in the onCreate() method of DisableSupervisionActivity.kt, effectively dismantling enterprise MDM controls without requiring elevated privileges or user interaction. The flaw (CWE-269: Improper Privilege Management) is bounded to local access but operates with no authentication prerequisite, making it exploitable by any installed app or local user on a supervised managed device. No public exploit identified at time of analysis, and an EPSS of 0.01% reflects negligible observed exploitation probability; however, organizational risk in enterprise Android deployments is disproportionately higher than the base score suggests.

Technical ContextAI

The vulnerability resides in DisableSupervisionActivity.kt, a component of Android's enterprise device supervision framework, within the Activity lifecycle callback onCreate(). A missing null check on an expected input or object reference allows an attacker to trigger the supervision data deletion path without proper validation or privilege enforcement. CWE-269 (Improper Privilege Management) identifies the root cause as a failure to enforce appropriate privilege boundaries during a sensitive operation - supervision data deletion - which should be guarded against unprivileged invocation. Android device supervision is the mechanism used by MDM (Mobile Device Management) solutions and parental controls to enforce organizational policies on enrolled devices. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers the Android application platform layer, with ENISA EUVD-2026-33798 narrowing the confirmed affected surface to Android 16-QPR2 specifically.

RemediationAI

Apply the security update documented in Google's Android Security Bulletin for June 1, 2026, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01; the exact patched build number should be verified directly from that bulletin, as no specific patched release version is independently confirmed in the available data. OEM device manufacturers typically distribute these patches through standard over-the-air update channels, so enterprise administrators should verify which OEM builds incorporate the June 2026 SPL (Security Patch Level). For enterprise environments where immediate patching is delayed, administrators should evaluate restricting invocation of DisableSupervisionActivity via MDM policy configuration - note this trade-off may interfere with legitimate supervision lifecycle management workflows. Limiting physical and logical device access to trusted personnel reduces exposure in the interim. No workaround is confirmed in the provided data beyond the vendor patch.

Share

CVE-2026-0086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy