01 · The Real Story
This is a fake badge printer inside the lobby, not a crowbar for the front door
CVE-2026-0020 is an Android permission-handling flaw in ParsedPermissionUtils.java that can let a locally running app bypass a consent dialog and obtain permissions it should not get. Google lists Android 14, 15, 16, and 16-qpr2 as affected in the March 2, 2026 bulletin, and the fix lands in the 2026-03-01 Android security patch level.
Google's HIGH 8.4 score is defensible in a lab because the end-state is serious privilege gain with no user interaction once the malicious app is in play. In enterprise reality, that baseline is too hot: the exploit path starts from a local app context, which means the attacker already cleared the biggest hurdle on managed fleets—getting code onto the device at all—so this is a meaningful mobile hardening issue, not the thing you bump remote edge bugs for.
"Technically nasty, operationally second-tier: this is a post-install Android LPE, not a fleet-wide fire drill"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land a malicious app on the device
The attacker first needs executable code running as an app on the Android device. In practice that means a trojanized APK, a sideloaded app, or an abuse path through a less-trusted app distribution channel; there is no indication this CVE is remotely triggerable by itself.
Conditions required:
- Target is running Android 14, 15, 16, or 16-qpr2
- Attacker can get an app installed or otherwise execute local app code
- Device has not received the
2026-03-01Android security patch level
Where this breaks in practice:
- MDM-managed fleets often block sideloading and restrict unknown sources
- Corporate app allowlists and Play Protect reduce the reachable population
- This prerequisite already implies a prior compromise or successful social engineering stage
Detection/coverage: Traditional network scanners will miss this entirely. Coverage is better through mobile threat defense, MDM app inventory, Play Protect telemetry, and store/allowlist policy enforcement.
STEP 02
Abuse permission-group parsing with a crafted manifest
Based on the vendor fix diff, the vulnerable parser mishandles permission and permission-group names unless whitespace is normalized. A malicious APK can inferably craft manifest entries so the package parser treats a permission group differently than the consent UI logic expects, creating the dialog bypass condition.
Conditions required:
- Attacker controls the APK manifest
- Vulnerable package parsing logic is present
- Permission/group name normalization bug is reachable during package parse
Where this breaks in practice:
- This is a narrow bug in Android package parsing, not a generic permission bypass primitive
- Exploit reliability depends on exact platform build behavior
- OEM customization may alter patch uptake timing but not necessarily exploitability
Detection/coverage: Manifest-level static analysis can catch suspicious whitespace or malformed permission-group declarations, but generic vuln scanners usually only identify patch level, not exploit attempts.
STEP 03
Skip the consent boundary and inherit permissions
Once the parser accepts the crafted metadata, the app can bypass the expected consent dialog and obtain permissions it should have needed explicit approval for. That turns a standard app foothold into a higher-trust app context without the normal user-mediated control point.
Conditions required:
- The crafted permission-group relationship is accepted by the vulnerable parser
- The targeted permission meaningfully expands access on that device
Where this breaks in practice:
- Blast radius is one device at a time
- The exact permissions gained matter; not every permission escalation yields equal enterprise impact
- Some enterprise work profiles already limit data access even after app-level permission gain
Detection/coverage: Look for app permission grants that do not match expected install or consent flows. Mobile EDR/MTD and forensic review of package metadata are more useful than perimeter tools.
STEP 04
Use the new access for local collection or lateral abuse
With elevated app permissions, the attacker can pivot into data collection, stronger surveillance, or follow-on abuse of device-resident enterprise apps and tokens, depending on what was granted. The impact can be severe on an individual handset, but it does not magically turn into unauthenticated fleet-wide compromise.
Conditions required:
- Valuable enterprise data or tokens exist on the device
- The newly obtained permission set materially expands what the app can touch
Where this breaks in practice:
- Work profile separation, conditional access, and app sandboxing still constrain some follow-on abuse
- Per-device exploitation is labor-intensive compared with commodity remote edge exploitation
Detection/coverage: Detection is mostly behavioral: unusual app access patterns, suspicious data exfil, or MTD alerts from a newly installed app with unexpected privileges.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence of active exploitation surfaced in the sources reviewed. The CISA ADP SSVC data attached to the CVE record marks exploitation as none, and the CVE is not in the CISA KEV catalog. |
|---|---|
| Proof-of-concept availability | No reliable public PoC was identified in the reviewed GitHub/news aggregation sources. Treat exploit development as plausible from the patch diff, but not yet a commodity click-and-run problem. |
| EPSS | Provided intel says 0.00004 (~0.004%), which is effectively floor-level exploit probability. Percentile was not supplied in the prompt, and no authoritative percentile value was confirmed from primary sources during review. |
| KEV status | Not KEV-listed. No CISA due date, no public federal emergency signal, and no vendor note tying this CVE to observed campaigns. |
| CVSS meaning | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H means *local* attack vector with high end impact. The key operational downgrade is AV:L: the attacker needs code on-device first. |
| Affected versions | Google lists Android 14, 15, 16, and 16-qpr2 as affected in the March 2026 Android Security Bulletin. |
| Fixed version / patch level | This issue is covered by the Android 2026-03-01 security patch level. Devices at 2026-03-01 or later should be treated as patched for this specific CVE; 2026-03-05 covers the full March bulletin. |
| Scanner / detection coverage | Feedly reports detection content was added in Qualys (610761, 610766), but patch-level and asset-inventory visibility matter more than exploit-attempt scanning here. |
| Exposure telemetry | Shodan/Censys/FOFA-style internet exposure data is basically not applicable. This is a device-side local privilege escalation path, so the reachable population is governed by app-install posture and mobile management policy, not exposed TCP services. |
| Disclosure and reporter | Published on 2026-03-02. The CVE is assigned by the google_android CNA; the public record does not disclose an external researcher and marks discovery as UNKNOWN. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (5.1/10)
The decisive friction is attacker position: this bug starts from a local app foothold, so it is post-install and effectively post-initial-compromise for most enterprise fleets. That sharply narrows the exposed population compared with remotely reachable Android bugs, even though the per-device impact after successful exploitation can be serious.
HIGH Affected versions and fixed patch level
MEDIUM Operational exploitability assessment from public patch diff and CVE text
MEDIUM Absence of public exploitation evidence
Why this verdict
- Downgrade for attacker position:
AV:Lmeans the attacker needs code running on the handset first; that is a major real-world gate, not a footnote. - Downgrade for exposure fraction: managed enterprise Android fleets often restrict sideloading, unknown sources, and non-approved app install paths, so only a slice of devices are realistically reachable.
- Downgrade for blast radius: exploitation compromises one device context at a time; this is not a tenant-wide, server-side, or perimeter-facing failure mode.
- Hold at MEDIUM, not LOW: once a malicious app is present, the bypass is low-complexity, needs no additional privileges, and can materially expand access without user approval.
- Hold at MEDIUM, not HIGH: there is no KEV listing, no confirmed campaign use, and the provided EPSS (
0.00004) is near-zero, which is the opposite of urgent, broad weaponization.
Why not higher?
To score this as HIGH in an enterprise patch queue, you would want one of three amplifiers: remote reachability, active exploitation, or a broadly exposed population. This CVE has none of them in the reviewed evidence. The exploit chain begins after the attacker already has a local app foothold, which is exactly the kind of compounding prerequisite that pushes severity down.
Why not lower?
This is still a real privilege boundary failure in a massively deployed platform, and the impact on an individual device can be substantial once abused. The absence of required user interaction after install, plus the possibility of sensitive permission gain, keeps it above backlog-only hygiene.
05 · Compensating Control
What to do — in priority order.
- Block untrusted app installation — Enforce MDM policy to disable sideloading, unknown sources, and unmanaged app stores. For a
MEDIUMverdict there is no mitigation SLA, so do this in the next mobile policy cycle while you work toward patching within the 365-day remediation window. - Tighten mobile app allowlisting — Restrict installs to approved enterprise catalogs or Play-managed distributions so the attacker cannot easily satisfy the local-app prerequisite. With no mitigation SLA at this severity, align rollout to your normal mobility governance cadence and complete patching within 365 days.
- Review work-profile and conditional-access policy — Limit what a compromised handset can reach by enforcing app protection, device compliance gates, and minimum OS patch levels for enterprise data access. This reduces blast radius even if a device-level permission bypass succeeds.
- Monitor for suspicious newly installed apps — Use MTD/EDR for Android, Play Protect, and MDM inventory deltas to flag unexpected app installs and permission anomalies. This does not fix the bug, but it attacks the prerequisite that matters most here: getting code onto the device.
What doesn't work
- Perimeter IDS/IPS won't help much because there is no network-facing exploit step to intercept.
- WAF rules are irrelevant; this is not a web application bug.
- User awareness training alone is too weak a control if sideloading remains technically possible.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation with adb installed and USB or managed debugging access to the Android device. Invoke it as ./check_cve_2026_0020.sh <device-serial> or ./check_cve_2026_0020.sh for the only attached device; no root is required, but the host must be authorized for adb shell on the target.
#!/usr/bin/env bash
# check_cve_2026_0020.sh
# Determine likely exposure to CVE-2026-0020 from Android version + security patch level.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/adb failure
set -u
SERIAL="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL" ]]; then
ADB+=( -s "$SERIAL" )
fi
fail() {
echo "UNKNOWN: $1"
exit 2
}
if ! command -v adb >/dev/null 2>&1; then
echo "UNKNOWN: adb not found in PATH"
exit 3
fi
STATE="$(${ADB[@]} get-state 2>/dev/null || true)"
if [[ "$STATE" != "device" ]]; then
echo "UNKNOWN: adb device not available or not authorized"
exit 3
fi
getprop_trim() {
${ADB[@]} shell getprop "$1" 2>/dev/null | tr -d '\r' | tr -d '\n'
}
PATCH_LEVEL="$(getprop_trim ro.build.version.security_patch)"
RELEASE="$(getprop_trim ro.build.version.release_or_codename)"
if [[ -z "$RELEASE" ]]; then
RELEASE="$(getprop_trim ro.build.version.release)"
fi
SDK="$(getprop_trim ro.build.version.sdk)"
FINGERPRINT="$(getprop_trim ro.build.fingerprint)"
if [[ -z "$PATCH_LEVEL" || -z "$SDK" ]]; then
fail "missing security patch level or SDK version"
fi
# Android SDK mapping used here:
# 34 = Android 14
# 35 = Android 15
# 36 = Android 16 / 16-qpr2 family
TARGET_PATCH="2026-03-01"
case "$SDK" in
34|35|36)
if [[ "$PATCH_LEVEL" < "$TARGET_PATCH" ]]; then
echo "VULNERABLE: Android release=${RELEASE:-unknown} sdk=$SDK patch_level=$PATCH_LEVEL fingerprint=$FINGERPRINT"
exit 1
else
echo "PATCHED: Android release=${RELEASE:-unknown} sdk=$SDK patch_level=$PATCH_LEVEL fingerprint=$FINGERPRINT"
exit 0
fi
;;
'')
fail "unable to determine Android SDK version"
;;
*)
# Outside the vendor-listed affected range; treat older versions as not affected by this CVE.
# Future versions are marked PATCHED/UNAFFECTED here because the specific vulnerable range is 14/15/16/16-qpr2.
echo "PATCHED: SDK $SDK is outside the vendor-listed affected range (14/15/16/16-qpr2); patch_level=$PATCH_LEVEL fingerprint=$FINGERPRINT"
exit 0
;;
esac
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: do not let this jump the queue ahead of remotely reachable or actively exploited issues. Use MDM reporting to find Android
14/15/16 devices that are still below the 2026-03-01 patch level, keep sideloading and unmanaged app installs locked down, and roll the vendor fix through your normal mobile patch program; because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA. If your environment allows broad BYOD sideloading or has weak mobile app controls, front-load those policy restrictions now even though there is no formal mitigation SLA for this bucket.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.