CVE-2026-0016

Vulnerability

In the updateProvidersWhenServiceRemoved function within CredentialManagerService.java, a permissions bypass vulnerability exists. This flaw allows for settings to be overridden across different user profiles on the device. The vulnerability is present in Android versions affected by the June 2026 security bulletin.

Exploitation

An attacker with local access to the device can exploit this vulnerability. No user interaction is required. The attacker can trigger the updateProvidersWhenServiceRemoved function, which, due to the permissions bypass, allows them to manipulate settings across user profiles.

Impact

Successful exploitation of this vulnerability can lead to local information disclosure. An attacker can potentially view or access sensitive information that is normally restricted to specific user profiles. No additional execution privileges are needed beyond what is required to trigger the vulnerable code path, and no further execution privileges are gained.

Mitigation

This vulnerability is addressed in the June 2026 Android Security Bulletin. Users should ensure their devices are updated to the patched versions. Specific patch release dates and version numbers can be found in the official Android Security Bulletin [1]. There are no workarounds mentioned in the available references.