CVE-2026-0011 · In enableSystemPackageLPw of Settings.java, there is a possible way to prevent location access from working due to a logic error in the code

01 · The Real Story

This is less a front-door break-in than a thief abusing a bad badge reissue inside the building

CVE-2026-0011 is an Android Package Manager logic flaw in enableSystemPackageLPw within Settings.java. Google says it can cause a system app to be re-enabled incorrectly after an update is uninstalled, creating a path to local privilege escalation and breaking location access behavior. Officially affected Android branches are 14, 15, 16, and 16-qpr2; NVD also shows beta variants of 16 qpr2 in the affected CPE set.

The vendor's HIGH 8.4 score overstates enterprise urgency because the bug is local-only and sits behind a very specific state transition in package management. In practice, the attacker needs code execution on the handset first, then must reach a niche package lifecycle condition involving a system app and shared-UID handling. That is valuable for targeted mobile post-exploitation, but it is not the kind of broadly reachable fleet-wide emergency that deserves top-of-queue treatment on Monday morning.

"High CVSS on paper, but this is a post-compromise Android LPE with narrow real-world reach."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the device

The attacker first needs execution on the Android device, typically via a malicious app, sideloaded APK, or a prior exploit chain. CVSS encodes this as AV:L/PR:N/UI:N, which sounds scary, but in the field it still means the adversary must already be running code locally on the handset.

Conditions required:

Target runs affected Android branch
Attacker can execute code locally on the device
Enterprise controls do not block the delivery path

Where this breaks in practice:

Google Play Protect, MDM app policy, and blocked sideloading reduce reachable population
Many enterprise-owned Android devices are locked to managed app stores
This prerequisite already assumes partial compromise of the endpoint

Detection/coverage: Mobile threat defense and EMM/UEM telemetry can often see unknown app installs or sideloading, but standard network scanners will not.

STEP 02

Trigger the package-manager edge case

The attacker then has to exercise the vulnerable code path in enableSystemPackageLPw during re-enablement of a system app after an update uninstall. The AOSP fix indicates the broken behavior is tied to reusing disabled package settings when a system app has a shared UID and sharedUserMaxSdkVersion semantics.

Conditions required:

A vulnerable system app is present
The app participates in the affected shared-UID path
The attacker can drive or influence the uninstall/re-enable sequence

Where this breaks in practice:

This is not a generic 'run one syscall, get root' primitive
The exploitability depends on package state and app metadata many devices will never hit
OEM variations may further reduce reproducibility

Detection/coverage: Very limited off-the-shelf scanner coverage. Validation is mostly via build/SPL assessment and code provenance, not exploit simulation.

STEP 03

Abuse broken UID/package state

Per the patch, the old logic could fail registerExistingAppId for shared-UID cases and re-scan/install the preloaded version as a new app, causing UID handling inconsistencies. That is the likely security boundary failure behind the CVE's local EoP claim.

Conditions required:

The vulnerable package transition succeeds
The target app/package layout matches the buggy shared-UID scenario

Where this breaks in practice:

The patch narrative suggests a brittle edge case rather than a universal primitive
Impact is device-local, not tenant- or fleet-wide from a single exploit event

Detection/coverage: Detection is mostly forensic: abnormal package-manager events, app state transitions, or post-compromise privilege behavior on the device.

STEP 04

Use elevated local position for device impact

Once elevated, an attacker could interfere with location-related behavior or leverage the stronger local position for data access, tampering, or persistence on that handset. This is meaningful for targeted surveillance or high-value mobile users, but the blast radius remains one compromised device at a time.

Conditions required:

Attacker successfully gained the elevated local context
Sensitive enterprise data or access tokens exist on-device

Where this breaks in practice:

MDM containerization, work profile separation, and strong app isolation can limit payoff
Compromising many devices still requires many separate local footholds

Detection/coverage: EDR/MTD may catch follow-on abuse; traditional vuln scanners and perimeter telemetry will not.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No official exploitation evidence found. Google notes limited targeted exploitation in the March 2026 bulletin for another CVE (`CVE-2026-21385`), not this one.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities Catalog as of this review.
EPSS	User-supplied EPSS is 0.00004 (~0.004%), which is effectively floor-level exploit probability. I could not independently pull a CVE-specific official EPSS row through this tool, so treat the score as user-provided but directionally consistent with the rest of the evidence.
Proof-of-concept availability	No primary-source public PoC verified. The AOSP fix is public, so skilled Android exploit developers can study the bug, but I did not verify a working exploit from an authoritative source.
CVSS vector reality check	`AV:L/AC:L/PR:N/UI:N` means local code execution with no additional privileges, not internet-reachable compromise. The high CIA impacts apply after the attacker is already on the device.
Affected versions	Android bulletin lists 14, 15, 16, and 16-qpr2. NVD additionally enumerates `16.0 qpr2_beta_1`, `qpr2_beta_2`, and `qpr2_beta_3` in affected CPE history.
Fixed versions	Google states security patch level `2026-03-05` or later addresses all issues in the March 2026 bulletin. For Pixels, the March 2026 Pixel bulletin says supported devices receive `2026-03-05`.
Scanning and exposure data	No meaningful Shodan/Censys/FOFA exposure story. This is a handset-local package-manager flaw, not a remotely enumerable network service.
Disclosure timeline	Published 2026-03-02 in NVD/OSV and in Google's March 2026 Android Security Bulletin.
Researcher / reporting source	Public record points to Android / [email protected]. The public AOSP change is authored by Song Chun Fan and references internal bug `A-454062218`.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.4/10)

The decisive factor is attacker position: this bug is only useful after the adversary already has code execution on the Android device. That sharply limits reachable population and turns this into a mobile post-exploitation enhancer, not a broad fleet-wide initial access risk.

HIGH Attacker-position friction is materially lower risk than the vendor CVSS implies

MEDIUM Affected-version and patch-level mapping from Google/NVD

MEDIUM Absence of verified public exploitation or authoritative PoC

Why this verdict

Requires local code execution first: AV:L means the attacker must already be running on the handset, which is a built-in downward adjustment from the vendor's 8.4 baseline.
Specific package-manager state transition: the AOSP fix points to a narrow uninstall/re-enable/shared-UID edge case, not a universal privilege-escalation primitive you can spray across every device.
Low operational scale: even successful exploitation gives per-device impact, not one-shot compromise of a server tier or 10,000-host estate.

Why not higher?

It is not higher because this is not remotely reachable and not obviously wormable, internet-facing, or mass-exploited. The exploit chain appears to depend on both prior device foothold and a particular package-management condition, which compounds friction fast.

Why not lower?

It is not lower because local privilege escalation on managed mobile devices still matters, especially for executives, developers, and users with strong mobile token or messaging access. If an attacker already has app-level execution, an Android LPE can materially improve stealth, data access, and persistence.

05 · Compensating Control

What to do — in priority order.

Block sideloading — Use MDM/UEM policy to disable unknown-source installs and restrict app installation to managed stores. This attacks the main prerequisite — local malicious code — and for a MEDIUM verdict there is no mitigation SLA, so apply as normal hardening rather than emergency change.
Enforce Play Protect and MTD — Keep Google Play Protect enabled and ensure mobile threat defense telemetry is active on corporate Android devices. That raises the cost of initial on-device execution and should be maintained continuously; again, no mitigation SLA applies here.
Prioritize high-risk user groups — Inventory Android 14/15/16 devices used by admins, executives, developers, and travelers, then move those cohorts to 2026-03-05 or later SPL first. This narrows the realistic surveillance and token-theft payoff while you work through standard remediation.
Monitor package-manager anomalies — Collect device telemetry for app uninstall/re-enable events, especially around system apps and unusual package-state churn. It will not prevent exploitation, but it improves post-compromise visibility during the remediation window.

What doesn't work

A perimeter firewall does nothing here because there is no network-reachable service to block.
External vulnerability scanning does not meaningfully detect exploitability; this is build/SPL and device-state driven.
MFA does not stop the vulnerability itself; it only reduces the value of some follow-on account abuse.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and a USB- or network-connected Android device. Invoke it as ./check-cve-2026-0011.sh SERIAL or ./check-cve-2026-0011.sh for the default device; it needs permission to use adb, but not root on the device. It classifies by Android version and security patch level, so it is a practical fleet triage check, not a live exploit test.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-0011.sh
# Determine likely exposure to CVE-2026-0011 on an Android device via adb.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -euo pipefail

SERIAL="${1:-}"
ADB_BASE=(adb)
if [[ -n "$SERIAL" ]]; then
  ADB_BASE+=( -s "$SERIAL" )
fi

need_cmd() {
  command -v "$1" >/dev/null 2>&1 || {
    echo "UNKNOWN: required command '$1' not found"
    exit 2
  }
}

need_cmd adb

adb_getprop() {
  local prop="$1"
  "${ADB_BASE[@]}" shell getprop "$prop" 2>/dev/null | tr -d '\r'
}

if ! "${ADB_BASE[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: no adb device available"
  exit 2
fi

ANDROID_VERSION="$(adb_getprop ro.build.version.release)"
CODENAME="$(adb_getprop ro.build.version.release_or_codename)"
PATCH_LEVEL="$(adb_getprop ro.build.version.security_patch)"
MODEL="$(adb_getprop ro.product.model)"
FINGERPRINT="$(adb_getprop ro.build.fingerprint)"

if [[ -z "$PATCH_LEVEL" ]]; then
  echo "UNKNOWN: could not read security patch level"
  exit 2
fi

# Normalize version family.
# Affected according to Google/NVD: Android 14, 15, 16, and 16-qpr2 line.
AFFECTED=0
case "$ANDROID_VERSION" in
  14|15|16) AFFECTED=1 ;;
  *)
    case "$CODENAME" in
      14|15|16) AFFECTED=1 ;;
      *) AFFECTED=0 ;;
    esac
    ;;
esac

if [[ "$AFFECTED" -eq 0 ]]; then
  echo "PATCHED: device is not on an affected Android branch (model=$MODEL android=$ANDROID_VERSION codename=$CODENAME spl=$PATCH_LEVEL)"
  exit 0
fi

# Google states SPL 2026-03-05 or later addresses all March 2026 bulletin issues.
FIX_SPL="2026-03-05"

if [[ "$PATCH_LEVEL" < "$FIX_SPL" ]]; then
  echo "VULNERABLE: affected Android branch with security patch level before $FIX_SPL (model=$MODEL android=$ANDROID_VERSION codename=$CODENAME spl=$PATCH_LEVEL fp=$FINGERPRINT)"
  exit 1
fi

if [[ "$PATCH_LEVEL" >= "$FIX_SPL" ]]; then
  echo "PATCHED: affected Android branch but security patch level is $PATCH_LEVEL, which is >= $FIX_SPL (model=$MODEL android=$ANDROID_VERSION codename=$CODENAME)"
  exit 0
fi

echo "UNKNOWN: unable to classify device (model=$MODEL android=$ANDROID_VERSION codename=$CODENAME spl=$PATCH_LEVEL fp=$FINGERPRINT)"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a server-side fire drill. Pull an inventory of Android 14/15/16 devices, confirm which ones are still below security patch level 2026-03-05, and move high-risk user cohorts first; because this is a MEDIUM reassessment, there is no noisgate mitigation SLA — go straight to the 365-day remediation window for the vendor patch under the noisgate remediation SLA, while maintaining standard mobile hardening like blocked sideloading and Play Protect during that window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.