CVE-2026-28586 PUBLISHED

Assigner: google_android
Reserved: 02.03.2026 Published: 01.06.2026 Updated: 01.06.2026

In multiple functions of AppOpsService.java, there is a possible missing permission check due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Product Status

Vendor	Google
Product	Android
Versions	Default: unaffected Version 16-qpr2 is affected Version 16 is affected Version 15 is affected Version 14 is affected

References

https://source.android.com/docs/security/bulletin/2026/2026-06-01

Problem Types

Information disclosure