CVE-2026-0047

HIGH

ActivityManagerService - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-0047. PoCs published by adminlove520, XZ1r0, mobilehackinglab.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-0047, demonstrating an information leakage vulnerability in Android's ActivityManagerService due to missing permission checks. The PoC includes both a simulated vulnerable service and tools to audit real system services for the same flaw.

Description

In dumpBitmapsProto of ActivityManagerService.java, there is a possible way for an app to access private information due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (3)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-0047

This repository contains a functional proof-of-concept exploit for CVE-2026-0047, demonstrating an information leakage vulnerability in Android's ActivityManagerService due to missing permission checks. The PoC includes both a simulated vulnerable service and tools to audit real system services for the same flaw.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Android ActivityManagerService (CVE-2026-0047)
No auth needed
Prerequisites: Android device with vulnerable ActivityManagerService · No special permissions required
devstral-2 · analyzed May 20, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/mobile/CVE-2026-0047-poc

This repository contains a functional proof-of-concept exploit for CVE-2026-0047, demonstrating an information leak vulnerability in Android's ActivityManagerService due to missing permission checks on the dumpBitmapsProto method. The PoC includes both a simulated vulnerable service and tools to audit real system services for similar vulnerabilities.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Android ActivityManagerService (pre-March 2026 security patch)
No auth needed
Prerequisites: Android device with vulnerable ActivityManagerService · Ability to install and run the provided APKs
devstral-2 · analyzed May 21, 2026 Full analysis →
github WORKING POC
by mobilehackinglab · javapoc
https://github.com/mobilehackinglab/CVE-2026-0047-poc

This repository contains a functional proof-of-concept exploit for CVE-2026-0047, demonstrating a missing permission check in Android's ActivityManagerService that allows any app to exfiltrate UI bitmaps from all running processes. The PoC includes both a direct exploit and a disguised attacker app, along with detailed technical analysis and patch information.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Android 16 QPR2 Beta (Baklava) with security patch level < 2026-03-01
No auth needed
Prerequisites: Android 16 QPR2 Beta (Baklava) emulator or device with security patch level before 2026-03-01
devstral-2 · analyzed May 01, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.4
EPSS 0.0014
EPSS Percentile 3.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-280
Status published
Products (1)
google/android 16.0 qpr2_beta_1 (3 CPE variants)
Published Mar 02, 2026
Tracked Since Mar 03, 2026