CVE-2026-0011
Published: 02 March 2026
Summary
CVE-2026-0011 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Google Android. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 requires proper centralized handling of errors and exceptions, directly mitigating CWE-703 improper check or handling of exceptional conditions in enableSystemPackageLPw.
AC-3 enforces approved access authorizations, addressing the logic error causing protection mechanism failure (CWE-693) that enables local privilege escalation.
SI-2 mandates timely identification, reporting, and correction of system flaws like the logic error in Settings.java, as provided in the Android security bulletin patch.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via logic flaw in system package handling with no privileges or interaction required.
NVD Description
In enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is…
more
not needed for exploitation.
Deeper analysisAI
CVE-2026-0011 is a logic error in the enableSystemPackageLPw function of Settings.java within the Android operating system. This flaw allows an attacker to prevent location access from working, potentially leading to local escalation of privilege. No additional execution privileges are required, and user interaction is not needed for exploitation. The vulnerability is associated with CWE-693 (Protection Mechanism Failure) and CWE-703 (Improper Check or Handling of Exceptional Conditions), with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability with low complexity and no prior privileges, as it requires only local access to the device. Upon successful exploitation, the attacker achieves high impacts on confidentiality, integrity, and availability, enabling privilege escalation that could compromise the system's security controls related to location services.
The Android security bulletin at https://source.android.com/docs/security/bulletin/2026/2026-03-01, published in March 2026, provides details on affected versions and available patches for mitigation.
Details
- CWE(s)