Local Privilege Escalation Vulnerability in Android Host Emulation Manager
CVE-2026-0099

7.8HIGH

Key Information:

Vendor: Google
Status: Android
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-0099?

A local privilege escalation vulnerability exists in the Host Emulation Manager of Android, specifically within the onNullBinding function. This flaw arises from a logic error that allows an activity to be launched from the background. Although exploitation requires user interaction, the vulnerability does not necessitate additional execution privileges, making it a significant concern for device security. Users are advised to apply the latest security updates to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Android 16-qpr2

Android 16

Android 15

References

https://source.android.com/docs/security/bulletin/2026/20...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Oct 15, 2025

CVE-2026-0099 Data

JSON

Google

What is CVE-2026-0099?

Affected Version(s)

References

CVSS V3.1

Timeline