Cyber Resilience

CVE-2026-0047

High

Published: 02 March 2026

Published
02 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 3.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0047 is a high-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Google Android. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-0047 is a vulnerability in the dumpBitmapsProto function of ActivityManagerService.java within Android. It arises from a missing permission check that allows an app to access private information. This flaw could lead to local escalation of privilege, requiring no additional execution privileges and no user interaction for exploitation. The vulnerability is associated with CWE-280 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A local attacker can exploit this vulnerability by running a malicious app on the device. The attack requires only local access with low complexity, no prior privileges (PR:N), and no user interaction (UI:N). Upon successful exploitation, the attacker achieves high impacts across confidentiality, integrity, and availability, enabling escalation of privileges on the system.

The Android security bulletin published on March 1, 2026, at https://source.android.com/docs/security/bulletin/2026/2026-03-01 provides further details on affected versions and mitigation through available patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not…

more

needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing permission check in Android system service directly enables local privilege escalation via malicious app with no user interaction or prior privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48646Same product: Google Android
CVE-2024-43077Same product: Google Android
CVE-2026-0106Same product: Google Android
CVE-2024-53840Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2024-49732Same product: Google Android
CVE-2025-48619Same product: Google Android
CVE-2024-49742Same product: Google Android
CVE-2026-0035Same product: Google Android
CVE-2024-11624Same product: Google Android

Affected Assets

google
android
16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources like dumpBitmapsProto in ActivityManagerService, directly preventing unauthorized apps from accessing private information due to missing permission checks.

prevent

Applies least privilege to restrict unprivileged apps from escalating via system services, ensuring functions like dumpBitmapsProto require necessary permissions.

prevent

Implements a reference monitor to mediate all accesses in Android system processes, mitigating flaws from omitted permission checks in ActivityManagerService.

References