Android ActivityManagerService Local PrivEsc via Missing Permission Check
CVE-2026-0047 Published on March 2, 2026

In dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

NVD

Vulnerability Analysis

CVE-2026-0047 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Improper Handling of Insufficient Permissions or Privileges

The application does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the application in an invalid state.


Products Associated with CVE-2026-0047

Want to know whenever a new CVE is published for Google Android? stack.watch will email you.

Google Android
 

Affected Versions

Google Android Version 16-qpr2 is affected by CVE-2026-0047