CVE-2026-0047
Missing Permission Check in ActivityManagerService Enables Privilege Escalation
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 16.0 | |
| android | 16.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the dumpBitmapsProto function of ActivityManagerService.java, where a missing permission check allows an app to access private information.
Because of this missing check, an app can escalate its privileges locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
An attacker app could exploit this vulnerability to gain access to private information on the device.
This local escalation of privilege could allow the attacker to perform actions or access data that should normally be restricted.
Since no user interaction or additional execution privileges are needed, the exploitation can happen silently and without the user's knowledge.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know