CVE-2026-0099 - Vulnerability Details

- Local Privilege Escalation via Background Activity Launch in Android

Description

In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Published: 2026-06-01

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A logic error in onNullBinding of HostEmulationManager.java allows an app to launch an activity from the background. This behavior can lead to a local privilege escalation attack with no need for additional execution privileges. The exploitation requires user interaction, meaning a user must be prompted or interact with the device for the attack to succeed.

Affected Systems

The vulnerability affects Google Android devices running version 14.0, 15.0, 16.0, or the 16.0 qpr2 branch, targeting the HostEmulationManager component of the Android OS. All devices on those releases are potentially vulnerable unless the corresponding patch is applied.

Risk and Exploitability

The CVE is not listed in the CISA KEV catalog and an EPSS score of < 1% indicates a very low but non‑zero probability of exploitation. The CVSS score of 7.8 indicates a medium‑high severity local privilege escalation potential. Because the attack requires user interaction, the risk depends heavily on user behavior, but once triggered it could elevate attacker privileges on the device.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—
`14`	affected	—

Configuration 1 [-]

OR	cpe:2.3:o:google:android:14.0:::::::*
	cpe:2.3:o:google:android:15.0:::::::*
	cpe:2.3:o:google:android:16.0:-::::::
	cpe:2.3:o:google:android:16.0:qpr2::::::

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—
`14`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update your Android device to the latest version that contains the HostEmulationManager patch.
Limit background app activity launch by disabling or restricting background activity permissions in the app manifest or using device policy controls.
Verify that no untrusted third‑party apps can invoke the HostEmulationManager component and remove or update any such apps.

Generated by OpenCVE AI on June 3, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-06-01

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
Title		Local Privilege Escalation via Background Activity Launch in Android
Weaknesses	CWE-284

Tue, 02 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-273
CPEs		cpe:2.3:o:google:android:14.0:::::::* cpe:2.3:o:google:android:15.0:::::::* cpe:2.3:o:google:android:16.0:-:::::: cpe:2.3:o:google:android:16.0:qpr2::::::

Tue, 02 Jun 2026 01:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Tue, 02 Jun 2026 00:45:00 +0000

Type	Values Removed	Values Added
Title	Background Activity Launch Enabling Local Privilege Escalation in Android HostEmulationManager
Weaknesses	CWE-20 CWE-640

Mon, 01 Jun 2026 23:30:00 +0000

Type	Values Removed	Values Added
Title		Background Activity Launch Enabling Local Privilege Escalation in Android HostEmulationManager
Weaknesses		CWE-20 CWE-640
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android
Vendors & Products		Google Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
References		https://source.android.com/docs/security/bulletin/2026/2026-06-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-06-01T21:14:55.610Z

Updated: 2026-06-02T03:56:14.051Z

Reserved: 2025-10-15T15:43:02.326Z

Link: CVE-2026-0099

Vulnrichment

Updated: 2026-06-01T22:43:49.668Z

NVD

Status : Analyzed

Published: 2026-06-01T22:16:23.630

Modified: 2026-06-02T18:04:41.377

Link: CVE-2026-0099

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:00:13Z

Weaknesses

CWE-273

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object