CVE-2026-0016 PUBLISHED

Assigner: google_android
Reserved: 15.10.2025 Published: 01.06.2026 Updated: 01.06.2026

In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Product Status

Vendor	Google
Product	Android
Versions	Default: unaffected Version 16-qpr2 is affected Version 16 is affected

References

https://source.android.com/docs/security/bulletin/2026/2026-06-01

Problem Types

Information disclosure