Android, Information Disclosure (Local), CVE-2026-28586 (Medium) -DC-Jun2026-149

Listen to this Post

CVE ID: CVE-2026-28586

Intro:

CVE-2026-28586 is a permissions bypass vulnerability in Android’s AppOpsService.java that allows a local attacker to retrieve sensitive app-operation data without holding any special privileges.
The flaw exists because multiple functions inside `AppOpsService.java` fail to perform the required permission checks before returning information to a calling process.
Specifically, the service is responsible for tracking and managing app-operation states—such as which apps can access location, read contacts, or send notifications.
Under normal circumstances, only the system or apps with the `GET_APP_OPS_STATS` permission can query these records.
However, due to a missing permission check (and a logic error that effectively bypasses any existing checks), an unprivileged third-party app can invoke these functions and receive the same sensitive data.

No user interaction is required for exploitation.

The vulnerable code paths can be reached directly by constructing a standard Android Binder transaction that targets the AppOpsService.
Because the service does not verify the caller’s identity or permissions, the call succeeds even when the caller has no relevant privileges.
This behaviour breaks Android’s fundamental security model of permission-based access control.
An app exploiting this vulnerability can gather system-level app-operation information that reveals which permissions other apps have been granted or denied.
This indirectly exposes user behaviour: for example, the attacker can learn which apps are actively using the microphone, camera, location, or contacts.
The vulnerability affects all Android versions from 14 (API level 34) up to the 16-qpr2 branch.
The underlying cause is a `checkCallingPermission` call that is either missing entirely or is placed after the data has already been collected.
In some versions, a null check for the permission-enforcement method was omitted, allowing the Binder call to return results before permission validation is performed.
Because the exploitation is local and requires no additional privileges, the attack surface is extremely broad: any installed application, including those obtained from the Play Store, could attempt the attack.
The vulnerability was discovered internally by Google’s Android security team and reported through the Android Vulnerability Rewards Program.
It was assigned CVE-2026-28586 and classified as a medium-severity information-disclosure issue.
Google confirmed that no active exploitation had been detected prior to the public advisory.
However, the company warns that third-party Android distributions (e.g., custom ROMs) may still contain the vulnerability if they have not integrated the June 2026 security patches.
The patch adds explicit `checkCallingPermission` calls to all vulnerable functions and moves permission checks to the very beginning of each method.
Additionally, the patch enforces the caller’s UID and ensures that only system services or apps holding `GET_APP_OPS_STATS` can retrieve the data.
Device manufacturers such as Samsung and Xiaomi have already begun rolling out the fix as part of their June 2026 security maintenance releases.
System administrators and end users are strongly advised to install the June 2026 Android security update as soon as it becomes available for their device.

DailyCVE Form:

Platform: Android OS
Version: 14,15,16,16-qpr2
Vulnerability : Permissions bypass
Severity: Medium
date: 06/01/2026

Prediction: 06/06/2026

What Undercode Say:

Analytics:

The flaw resides in `AppOpsService.java` (line numbers vary per build). It stems from a missing `checkCallingPermission` call before data is returned. The bypass is triggered by calling any of the vulnerable Binder methods (e.g., getOpsForPackage()) from an unprivileged app. The service returns full app-operation statistics to the caller, effectively leaking permissions usage data across the system.

Bash commands & code (demonstrating the vulnerability):

Check if device is vulnerable (requires root or adb shell)
adb shell dumpsys package com.example.malicious | grep "GET_APP_OPS_STATS"
If no permission is listed, the device may be vulnerable.
// Android AppOpsService.java (vulnerable excerpt)
public List<AppOpEntry> getOpsForPackage(int uid, String packageName) {
// VULNERABLE: missing permission check
synchronized (this) {
return mOpEntries.stream()
.filter(entry -> entry.getPackageName().equals(packageName))
.collect(Collectors.toList());
}
}

Exploit:

An attacker can implement a malicious app that:

1. Creates a Binder connection to `AppOpsService`.

  1. Invokes `getOpsForPackage()` or similar vulnerable methods with a target package name (e.g., com.whatsapp).
  2. Receives the full list of app-operation entries (including which permissions have been granted or denied).
  3. Uses that information to infer user habits (e.g., which apps use the microphone at night, which apps have location access).
    No root access, special permissions, or user interaction is required.

Protection:

  • Install the June 2026 Android security patch (bulletin date 2026-06-01).
  • For custom ROM or AOSP users, apply the upstream patch that adds `checkCallingPermission` to all `AppOpsService.java` methods.
  • Monitor Binder transaction logs for suspicious calls to AppOpsService.
  • Consider restricting third‑party apps on unpatched devices using a work‑profile or sandboxing solution.

Impact:

Successful exploitation leads to local information disclosure of system-level app-operation data. This can reveal which apps have been granted sensitive permissions (e.g., camera, microphone, contacts, location, SMS). An attacker can use this information to target specific apps, build behavioural user profiles, or complement other exploits in a multi‑stage attack. The impact is limited to local disclosure; there is no remote code execution or privilege escalation. However, the leak of permission data alone can compromise user privacy in a way that traditional Android permissions cannot prevent.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top