CVE-2026-0088

Vulnerability

In the getCallingAppLabel function within CertInstaller.java, a flaw exists that allows for the presentation of misleading or insufficient UI elements. This can result in the hiding of sensitive security dialogues. The vulnerability affects Android versions as detailed in the June 2026 security bulletin [1].

Exploitation

An attacker with local access can exploit this vulnerability without needing any additional execution privileges. The vulnerability is triggered by a flaw in how getCallingAppLabel presents UI, leading to the suppression of critical security prompts. User interaction is not required for exploitation, and no specific configuration is mentioned as necessary beyond local access [1].

Impact

Successful exploitation of this vulnerability can lead to a local escalation of privilege. The attacker can effectively hide sensitive security dialogues, potentially tricking users or bypassing security checks. This allows the attacker to gain elevated privileges on the device without requiring any further execution capabilities or user consent [1].

Mitigation

This vulnerability was addressed in the Android Security Bulletin released on June 1, 2026 [1]. Users should ensure their devices are updated to the patched versions. Specific version numbers and patch dates can be found in the official Android security bulletin. No workarounds are mentioned, and the vulnerability is considered fixed in the released patches [1].