CVE-2026-0017 - Vulnerability Details

- BiometricService Logic Error Allows Unauthorized Fingerprint Unlock

Description

In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-03-02

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in Android’s BiometricService onChange method can enable fingerprint unlock without proper authorization. The flaw allows a local user to gain elevated privileges without needing additional privileges or executing arbitrary code. The vulnerability falls under CWE‑285 (Authorization Bypass) and CWE‑693 (Lack of Security Awareness).

Affected Systems

The vendor is Google and the product affected is Android version 16.0, including the QPR2 beta releases 1, 2, and 3. The impact applies to all devices running these builds.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, whereas the EPSS score of < 1 % and absence from the KEV catalog suggest a very low current exploitation probability. The likely attack vector is local, inferred from the description: an attacker who can trigger the service’s onChange handler (e.g., through a crafted app or a system component) can activate fingerprint unlock, escalating privilege on the device. No user interaction is required for exploitation based on the description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:google:android:16.0:-::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_1::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_2::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Android security patch from Google that addresses the BiometricService logic error
If no patch is immediately available, disable fingerprint authentication by using the device’s security settings or a device administration policy
Monitor Google’s security bulletin for further updates

Generated by OpenCVE AI on April 18, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-03-01

History

Sat, 18 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Title		BiometricService Logic Error Allows Unauthorized Fingerprint Unlock

Fri, 06 Mar 2026 04:30:00 +0000

Type	Values Removed	Values Added
References	https://source.android.com/security/bulletin/2026-03-01

Fri, 06 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/2026/2026-03-01

Wed, 04 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 03 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:o:google:android:16.0:qpr2::::::	cpe:2.3:o:google:android:16.0:qpr2_beta_1:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_2:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

Tue, 03 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
CPEs		cpe:2.3:o:google:android:16.0:-:::::: cpe:2.3:o:google:android:16.0:qpr2::::::
Vendors & Products		Google Google android

Tue, 03 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-285 CWE-693
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/security/bulletin/2026-03-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-03-02T18:42:41.539Z

Updated: 2026-03-06T03:49:43.449Z

Reserved: 2025-10-15T15:38:50.261Z

Link: CVE-2026-0017

Vulnrichment

Updated: 2026-03-03T15:05:27.592Z

NVD

Status : Modified

Published: 2026-03-02T19:16:30.133

Modified: 2026-03-06T04:16:04.217

Link: CVE-2026-0017

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object