CVE-2026-0011 - Vulnerability Details

- Logic Error in Settings Enabling Local Privilege Escalation

Description

In enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-03-02

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in enableSystemPackageLPw within Settings.java can prevent location access from functioning, resulting in a local privilege escalation flaw. The vulnerability allows a local attacker to gain administrative privileges without requiring additional execution privileges or user interaction.

Affected Systems

Google Android devices running Android versions 14.0, 15.0, and 16.0—including the qpr2_beta variants—may be affected.

Risk and Exploitability

The CVSS base score of 8.4 signals high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers need only local access and no user interaction or remote code execution to exploit the flaw, which can elevate privileges to privileged system mode.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:-::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_1::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_2::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Android security update that corrects the logic error in enableSystemPackageLPw; this patch addresses improper handling of credentials (CWE-693) and ensures correct default configuration (CWE-703).
Until the update is available, disable location services for all non-system applications via the Settings menu or device policy; this mitigates the risk posed by the improper credential handling flaw.
Configure device management or ADB shell scripts to enforce that only privileged system packages can call enableSystemPackageLPw, thereby preventing unauthorized privilege escalation resulting from the logic error.

Generated by OpenCVE AI on April 18, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00004.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-03-01

History

Sat, 18 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
Title		Logic Error in Settings Enabling Local Privilege Escalation

Fri, 06 Mar 2026 04:30:00 +0000

Type	Values Removed	Values Added
References	https://source.android.com/security/bulletin/2026-03-01

Fri, 06 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/2026/2026-03-01

Tue, 03 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:o:google:android:16.0:qpr2::::::	cpe:2.3:o:google:android:16.0:qpr2_beta_1:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_2:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

Tue, 03 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
CPEs		cpe:2.3:o:google:android:14.0:::::::* cpe:2.3:o:google:android:15.0:::::::* cpe:2.3:o:google:android:16.0:-:::::: cpe:2.3:o:google:android:16.0:qpr2::::::
Vendors & Products		Google Google android

Tue, 03 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-693 CWE-703
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		In enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/security/bulletin/2026-03-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-03-02T18:42:36.357Z

Updated: 2026-03-06T03:47:53.561Z

Reserved: 2025-10-15T15:38:40.527Z

Link: CVE-2026-0011

Vulnrichment

Updated: 2026-03-03T15:52:22.357Z

NVD

Status : Modified

Published: 2026-03-02T19:16:29.590

Modified: 2026-03-06T04:16:03.337

Link: CVE-2026-0011

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object