CVE-2026-0092
CVE-2026-0092 is a critical-severity vulnerability in Google Android with a CVSS 4.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.
Key facts
- Severity: Critical (CVSS 4.0 base score 10.0)
- EPSS exploit prediction: 0% (12th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-37564
- Weakness: CWE-862
- Affected product: Google Android
- Published:
- Last modified:
Description
In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Frequently asked questions
- What is CVE-2026-0092?
- In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- How severe is CVE-2026-0092?
- CVE-2026-0092 has a CVSS 4.0 base score of 10.0, rated critical severity.
- Is CVE-2026-0092 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-0092?
- CVE-2026-0092 affects Google Android. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-0092?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-0092 have an EU (EUVD) identifier?
- Yes. CVE-2026-0092 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37564.
- When was CVE-2026-0092 published?
- CVE-2026-0092 was published on 2026-06-17 and last updated on 2026-06-18.
References
Affected products (1)
- cpe:2.3:o:google:android:17.0:-:*:*:*:*:*:*
More vulnerabilities in Google Android
- CVE-2025-48611 — Critical (CVSS 10.0): In DeviceId of DeviceId.java, there is a possible desync in persistence due to a missing bounds check. This could lead…
- CVE-2015-8073 — Critical (CVSS 10.0): mediaserver in Android 4.4 and 5.1 before 5.1.1 LMY48X allows remote attackers to execute arbitrary code or cause a…
- CVE-2015-8072 — Critical (CVSS 10.0): mediaserver in Android 4.4 through 5.x before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute…
- CVE-2015-6610 — Critical (CVSS 10.0): libstagefright in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows attackers to gain privileges or cause a…
- CVE-2015-6609 — Critical (CVSS 10.0): libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or…
- CVE-2015-6608 — Critical (CVSS 10.0): mediaserver in Android 5.x before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary…
All CVEs affecting Google Android →
Other CWE-862 (Missing Authorization) vulnerabilities
- CVE-2026-33712 — Critical (CVSS 10.0): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
- CVE-2026-2031 — Critical (CVSS 10.0): An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration…
- CVE-2026-34976 — Critical (CVSS 10.0): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing…
- CVE-2025-30416 — Critical (CVSS 10.0): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis…
- CVE-2025-45854 — Critical (CVSS 10.0): /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
- CVE-2025-46348 — Critical (CVSS 10.0): YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed…
Browse all CWE-862 (Missing Authorization) vulnerabilities →