CVE-2026-0061

Vulnerability

In multiple functions within WindowState.java, a tapjacking or overlay attack vulnerability exists. This flaw allows an attacker to trick a user into accepting a permission, potentially leading to local privilege escalation. The vulnerability affects unspecified versions of Android.

Exploitation

An attacker can exploit this vulnerability by presenting a malicious overlay or UI element that tricks the user into interacting with it. This interaction can cause the user to inadvertently grant permissions that the attacker desires. User interaction is not required for exploitation, implying the overlay can be presented without explicit user action to initiate the attack sequence.

Impact

Successful exploitation of this vulnerability could lead to local escalation of privilege. The attacker gains the privileges associated with the permission the user was tricked into accepting, without needing any additional execution privileges. This could compromise the confidentiality, integrity, or availability of user data or system functions.

Mitigation

This vulnerability was addressed in the June 2026 Android Security Bulletin [1]. Users should ensure their devices are updated to receive the security patch. Specific fixed versions and release dates are not detailed in the provided references, and no workarounds are mentioned.