Description
In onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other apps without knowing the LSKF due to a missing permission check. This could lead to local information disclosure where the extent of interaction and impact is app-dependent with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Information Disclosure
Action: Patch
AI Analysis

Impact

Android devices have a flaw in the KeyguardServiceDelegate component. When a service is disconnected, a missing permission check can allow an application to bypass expected pinning restrictions and interact with other applications without knowing the device’s login screen key field. This weakness is classified as an information exposure failure (CWE‑200) and can result in local information disclosure, depending on the target app. No extra execution privileges or user interaction are required for exploitation.

Affected Systems

Vulnerable devices run Android 14.0, 15.0, and 16.0. The issue appears in the KeyguardServiceDelegate implementation across these releases and applies to all device builds of these OS versions that have not been updated to a patched release.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity, and the EPSS score of less than one percent suggests a low likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported. An attacker can take advantage of the flaw locally by triggering a service disconnection; because no user interaction or elevated privileges are needed, the risk is confined to the device owner’s data and the applications present on the device.

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest Android security update that contains the KeyguardServiceDelegate fix.
  • Configure device management policies so that only trusted applications may bind to services provided by KeyguardServiceDelegate, ensuring the required credential check is enforced.
  • Enforce application pinning and restrict background service access for apps that do not need interaction with the keyguard service.

Generated by OpenCVE AI on April 16, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title App Pinning Bypass in Android KeyguardServiceDelegate Allows Local Information Disclosure

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
Vendors & Products Google
Google android
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other apps without knowing the LSKF due to a missing permission check. This could lead to local information disclosure where the extent of interaction and impact is app-dependent with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:46:18.128Z

Reserved: 2025-10-15T15:38:07.612Z

Link: CVE-2026-0005

cve-icon Vulnrichment

Updated: 2026-03-03T15:32:36.788Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:29.033

Modified: 2026-03-06T04:16:02.647

Link: CVE-2026-0005

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses