CVE-2026-0021 - Vulnerability Details

- Local Privilege Escalation via Cross-user Permission Bypass

Description

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-03-02

Score: 8.4 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a cross‑user permission bypass caused by a confused deputy in the hasInteractAcrossUsersFullPermission method of AppInfoBase.java. An attacker can elevate privileges on a device by exploiting this flaw without needing any additional execution rights or user interaction. The impact is local privilege escalation that can lead to unauthorized access to other users' data or system functions, and it is classified as CWE‑441.

Affected Systems

Affected devices run Google Android versions 14.0, 15.0, 16.0 and the associated preview betas (qpr2_beta_1 through qpr2_beta_3). These are all listed in the CPE strings provided. The flaw therefore covers the mainstream public releases of Android 14, 15, and 16 and their recent beta builds.

Risk and Exploitability

The CVSS score of 8.4 signals a high severity, while the EPSS score of <1 % indicates a very low current exploitation probability. The vulnerability is not yet in the CISA KEV catalog. Because the flaw can be exercised purely from local code, an attacker with a malicious app or a physically accessed device can bypass the permission boundary. Prompt patching is advised to mitigate the risk of privileged abuse.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:-::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_1::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_2::::::
	cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the most recent Android security patch that contains the fix for CVE‑2026‑0021.
Reboot the device to ensure the patch takes effect.
Restrict installation of apps from unknown sources and review app permissions to minimize the chance of malicious exploitation.

Generated by OpenCVE AI on April 16, 2026 at 14:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-03-01

History

Thu, 16 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Cross-user Permission Bypass

Fri, 06 Mar 2026 04:30:00 +0000

Type	Values Removed	Values Added
References	https://source.android.com/security/bulletin/2026-03-01

Fri, 06 Mar 2026 04:15:00 +0000

Type	Values Removed	Values Added
References		https://source.android.com/docs/security/bulletin/2026/2026-03-01

Tue, 03 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:o:google:android:16.0:qpr2::::::	cpe:2.3:o:google:android:16.0:qpr2_beta_1:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_2:::::: cpe:2.3:o:google:android:16.0:qpr2_beta_3::::::

Tue, 03 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
CPEs		cpe:2.3:o:google:android:14.0:::::::* cpe:2.3:o:google:android:15.0:::::::* cpe:2.3:o:google:android:16.0:-:::::: cpe:2.3:o:google:android:16.0:qpr2::::::
Vendors & Products		Google Google android

Mon, 02 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-441
Metrics		cvssV3_1 `{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/security/bulletin/2026-03-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-03-02T18:42:43.590Z

Updated: 2026-03-06T03:50:31.938Z

Reserved: 2025-10-15T15:38:56.780Z

Link: CVE-2026-0021

Vulnrichment

Updated: 2026-03-02T21:09:23.539Z

NVD

Status : Modified

Published: 2026-03-02T19:16:30.347

Modified: 2026-03-06T04:16:04.577

Link: CVE-2026-0021

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses

CWE-441

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object