CVE-2026-0036

Vulnerability

A tapjacking issue exists in startAnimation of StageCoordinator.java within Android. This vulnerability is due to a tapjacking or overlay attack, potentially allowing for local privilege escalation. The vulnerability affects Android versions covered by the June 2026 security bulletin [1].

Exploitation

Exploitation of this vulnerability does not require user interaction. An attacker could leverage a tapjacking or overlay attack to trick the user into interacting with a malicious UI element that is overlaid on top of a legitimate application's interface. This could lead to the execution of unintended actions or the escalation of privileges.

Impact

Successful exploitation of this vulnerability could lead to a local escalation of privilege. The attacker gains elevated privileges on the device without needing any additional execution privileges beyond what is required to initiate the tapjacking attack. This means an attacker could potentially gain access to sensitive system functions or data.

Mitigation

This vulnerability is addressed in the June 2026 Android Security Bulletin [1]. Users should ensure their devices are updated to the patched versions. Specific patch release dates and workarounds are detailed in the official Android security bulletin.