CVE-2026-0007 · In writeToParcel of WindowInfo.cpp, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack.

01 · The Real Story

This is a pickpocket standing inside the building, not a burglar kicking in the front door

CVE-2026-0007 is an Android framework elevation-of-privilege issue in WindowInfo.cpp affecting Android 14, 15, and 16 per Google’s March 2026 bulletin. The public description frames it as a tapjacking or overlay problem that could trick a user into accepting a permission, while the linked AOSP fix truncates WindowInfo.name during parcelling as a mitigation for a one-way Binder call overflow; either way, the bug sits in local framework/UI plumbing, not a remotely reachable service.

Google’s 8.6 HIGH score is technically defensible in a lab because the post-exploit impact on one handset can be large, but it overrates enterprise urgency. Real attackers need code running on the device first, the reachable population is limited to Android 14–16 endpoints, there is no KEV listing or verified in-the-wild use, EPSS is effectively zero, and CISA’s ADP view lowers the vector to 7.8 with unchanged scope and marks exploitation none and automatable no.

"Serious on a single Android device, but not an enterprise fire drill: it needs on-device code execution and has no exploitation signal."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a malicious app on the handset

The attacker first needs execution on the target Android device, usually via a sideloaded APK, a trojanized Play-distributed app, or an already-compromised user profile. This is the real gate: without local app execution, the CVE is irrelevant.

Conditions required:

Target is running Android 14, 15, or 16 and is missing the March 2026 Android security patch level
Attacker can get an app or code to run on the device
Enterprise policy allows some form of app installation or existing malware foothold

Where this breaks in practice:

Managed Google Play allowlisting, Play Protect, and MTD tools block a lot of commodity delivery
Many enterprise Android fleets disable unknown sources and tightly gate sideloading
This prerequisite already implies partial initial compromise of the endpoint

Detection/coverage: No network scanner will find this. Detection is mostly via mobile threat defense, Play Protect alerts, EMM inventory, and app-install telemetry.

STEP 02

Abuse framework parcel or overlay handling

Once on-device, a malicious app would need to weaponize the vulnerable path in WindowInfo.cpp. Based on the AOSP fix, the exploit path likely involves crafted WindowInfo parcel data and Binder IPC behavior; the public CVE text instead describes an overlay/tapjacking outcome, so treat the precise exploit mechanics as only partially exposed in public sources.

Conditions required:

App can reach the affected framework code path
Exploit code can reliably trigger the vulnerable parcel/UI state on the target build

Where this breaks in practice:

Exploit details are not fully public in primary sources
OEM framework differences can break reliability across devices
Android framework and permission-controller hardening reduces generic overlay abuse paths

Detection/coverage: Very weak scanner coverage. Look for abnormal Binder/Parcel crashes, repeated framework faults, or suspicious overlay-related app behavior in device telemetry.

STEP 03

Bypass user intent around permissions

If exploitation succeeds, the likely practical goal is to subvert permission acceptance or otherwise lift the app’s effective privileges on that device. That turns a low-privileged app foothold into access to sensitive data or controls that should have required explicit user intent.

Conditions required:

A permission boundary or sensitive action is available to abuse on the device
The target user session is active enough for the exploit path to complete

Where this breaks in practice:

Modern Android blocks many obscured-touch scenarios on sensitive prompts
The public record is internally inconsistent about whether user interaction is required, which hurts confidence in broad exploit reliability
Blast radius is usually one device profile, not the fleet

Detection/coverage: Watch for apps requesting overlay-related capabilities, unusual permission state changes, and post-compromise access to SMS, contacts, microphone, camera, or work-profile data.

STEP 04

Monetize the new access on one device

With elevated local access, the attacker can pivot into credential theft, surveillance, enterprise app data access, or abuse of work-profile content depending on what the device stores and what permissions were gained. The operational impact can be ugly for the user, but it is still a single-endpoint problem unless chained with mobile malware distribution at scale.

Conditions required:

Valuable local data or enterprise apps exist on the handset
The gained privileges meaningfully expand access beyond the original app sandbox

Where this breaks in practice:

Not wormable from the CVE alone
MDM containerization and per-app VPN/data separation can contain fallout
Attacker still has to monetize access device by device

Detection/coverage: Behavioral detection is the best bet: unusual data access, enterprise app abuse, exfiltration spikes, or suspicious accessibility/overlay patterns.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No verified active exploitation found in primary sources reviewed; CISA ADP SSVC marks exploitation as `none`.
KEV status	Not listed in the CISA KEV catalog as of this assessment.
EPSS	User-supplied EPSS is 0.00003 (~0.003%), which is consistent with a very low short-term exploitation expectation; primary-source percentile was not verified.
PoC availability	No primary-source PoC located. Third-party indexing claims a public GitHub PoC exists, but I could not validate a vendor-linked or researcher-authored PoC from primary sources.
CVSS reality check	Vendor/NVD shows `8.6 HIGH` with `S:C`; CISA ADP independently recalculates it to 7.8 HIGH with `S:U`, which is a quieter signal that the blast radius is being overstated in the original vector.
Affected versions	Google/CNA and NVD list Android 14, 15, and 16 as affected.
Fixed version	Devices at Android security patch level `2026-03-01` or later address the `2026-03-01` bulletin issues, including this one; OEM backports may deliver the fix under the same patch string.
Exposure profile	Local-only exposure. Shodan/Censys/FOFA-style internet scanning is not meaningful here because the vulnerable surface is on-device framework logic, not an exposed network service.
Disclosure timeline	Published 2026-03-02 by Google Android CNA; Android’s bulletin is dated 2026-03-01.
Researcher / reporter	Discovery not publicly attributed. The CNA is `google_android`; the AOSP patch is authored by Anton Ivanov in the public commit metadata.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.6/10)

The decisive downgrade is the attacker position requirement: this bug matters only after code is already running on the Android device. That makes it a post-initial-access mobile privilege escalation with single-device blast radius, not a fleet-wide emergency, and the lack of KEV activity or credible exploitation evidence removes the main reason to keep it in HIGH.

HIGH Attacker-position downgrade: local/on-device execution is required

MEDIUM Exploit mechanics: public description and AOSP fix do not line up cleanly

HIGH Enterprise urgency reduction from no KEV / no verified active exploitation

Why this verdict

Local attacker position required: AV:L means the attacker already needs code execution on the handset, which is a major downward adjustment from vendor-style severity.
Reachable population is narrow: only Android 14/15/16 are listed, and many enterprise fleets further reduce reachability with managed app stores, allowlisting, and sideloading restrictions.
No exploitation pressure: no KEV listing, no validated in-the-wild campaign evidence, and EPSS is near-zero, so there is no current threat-intel amplifier forcing an elevated patch priority.

Why not higher?

This is not remotely reachable and it is not a pre-auth compromise vector. To matter, the adversary must first plant or run an app on the device, then successfully navigate framework-specific exploit conditions on a mobile platform that already hardens overlay abuse.

Why not lower?

Once the attacker is on the device, the potential impact is still meaningful because a privilege lift on Android can expose enterprise app data, user content, and security-sensitive permissions. It is also a framework bug in a widely deployed mobile OS, so it deserves scheduled remediation rather than backlog oblivion.

05 · Compensating Control

What to do — in priority order.

Enforce managed app allowlisting — Restrict installs to Managed Google Play or your approved enterprise catalog so the attacker cannot easily satisfy the on-device code execution prerequisite. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, but this should already be a standing control across the fleet.
Block sideloading and ADB for users — Disable unknown sources, developer options, and routine ADB access on production endpoints to cut off the most common delivery paths for local Android exploits. With no mitigation SLA for MEDIUM, treat this as policy hygiene to maintain during the remediation window.
Tighten overlay and accessibility abuse controls — Audit and minimize apps allowed to use overlay-like capabilities, accessibility services, or unusual UI automation patterns, because those are the natural companion controls for tapjacking-style abuse. Maintain this during the 365-day remediation window and prioritize higher-risk user groups first.
Use mobile threat defense telemetry — Enable detections for trojanized apps, suspicious permission changes, repeated framework crashes, and anomalous overlay behavior so you catch the prerequisite malware stage before this CVE matters. There is no mitigation SLA here, but this is the best compensating detection layer while patch adoption catches up.

What doesn't work

External vulnerability scanning doesn't help because the issue is local framework logic on the handset, not an internet-facing daemon.
Perimeter firewalls or WAFs don't meaningfully reduce risk because the exploit path does not traverse your network edge.
User phishing training alone is insufficient; the real control point is preventing malicious app execution and abusive local capabilities on the device.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a connected Android device, or from your EMM/MDM remote shell if it exposes the same getprop values. Invoke it as ./check-cve-2026-0007.sh <adb-serial>; it needs access to adb, but no root on the device.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-0007.sh
# Verify likely exposure to CVE-2026-0007 on an Android device via ADB.
# Usage: ./check-cve-2026-0007.sh <adb-serial>
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

if [ $# -ne 1 ]; then
  echo "Usage: $0 <adb-serial>"
  exit 3
fi

SERIAL="$1"
ADB_BIN="${ADB_BIN:-adb}"

if ! command -v "$ADB_BIN" >/dev/null 2>&1; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

adb_cmd() {
  "$ADB_BIN" -s "$SERIAL" "$@"
}

if ! adb_cmd get-state >/dev/null 2>&1; then
  echo "UNKNOWN: device $SERIAL not reachable via adb"
  exit 2
fi

ANDROID_VER="$(adb_cmd shell getprop ro.build.version.release 2>/dev/null | tr -d '\r')"
SDK="$(adb_cmd shell getprop ro.build.version.sdk 2>/dev/null | tr -d '\r')"
PATCH="$(adb_cmd shell getprop ro.build.version.security_patch 2>/dev/null | tr -d '\r')"
FINGERPRINT="$(adb_cmd shell getprop ro.build.fingerprint 2>/dev/null | tr -d '\r')"

if [ -z "$PATCH" ] || [ -z "$SDK" ]; then
  echo "UNKNOWN: unable to read required Android properties"
  exit 2
fi

# Android version mapping:
# Android 14 -> SDK 34
# Android 15 -> SDK 35
# Android 16 -> SDK 36
case "$SDK" in
  34|35|36)
    AFFECTED_MAJOR="yes"
    ;;
  *)
    AFFECTED_MAJOR="no"
    ;;
esac

# Compare patch strings lexicographically because format is YYYY-MM-DD.
if [ "$AFFECTED_MAJOR" = "no" ]; then
  echo "PATCHED: device is not in the known affected major versions (sdk=$SDK, android=$ANDROID_VER, patch=$PATCH)"
  echo "Fingerprint: $FINGERPRINT"
  exit 0
fi

if [[ "$PATCH" < "2026-03-01" ]]; then
  echo "VULNERABLE: Android $ANDROID_VER (sdk=$SDK) with security patch $PATCH is older than 2026-03-01"
  echo "Fingerprint: $FINGERPRINT"
  exit 1
fi

if [[ "$PATCH" >= "2026-03-01" ]]; then
  echo "PATCHED: Android $ANDROID_VER (sdk=$SDK) with security patch $PATCH meets the bulletin floor for CVE-2026-0007"
  echo "Fingerprint: $FINGERPRINT"
  echo "Note: OEM backports can vary; verify vendor OTA contents if this is a heavily customized build."
  exit 0
fi

echo "UNKNOWN: unable to determine status"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, have your mobility team pull an inventory of Android 14/15/16 endpoints and sort them by patch string, focusing first on devices that allow broad app installation or have weaker app-governance controls. This is MEDIUM, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use that time to roll the vendor/OEM update that brings devices to 2026-03-01 security patch level or later under the noisgate remediation SLA, while maintaining app allowlisting, sideloading blocks, and MTD coverage as standing controls rather than launching an emergency patch campaign.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.