CVE-2026-0005 is a security vulnerability identified in Google Android versions 14, 15, and 16, specifically within the onServiceDisconnected method of the KeyguardServiceDelegate.java file. The issue arises from a missing permission check that results in a partial bypass of the app pinning feature. App pinning is designed to restrict user interaction to a single app, typically to prevent unauthorized access to other apps or sensitive data. Due to this flaw, an attacker with local access can interact with other apps beyond the pinned app without needing to know the lock screen keyguard (LSKF) credentials. This interaction is limited and app-dependent, meaning the extent of information disclosure varies based on the targeted app's design and data exposure. Importantly, exploitation does not require user interaction or additional execution privileges, making it easier for an attacker with local access to leverage this vulnerability. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of local information disclosure, potentially leaking sensitive user data. The absence of a CVSS score necessitates an assessment based on the impact on confidentiality, ease of exploitation, and scope of affected systems. The vulnerability is particularly concerning because it undermines a core security feature (app pinning) intended to protect user privacy and device security.

The primary impact of CVE-2026-0005 is local information disclosure on affected Android devices. Attackers with local access can bypass app pinning restrictions partially, allowing them to interact with other apps without authentication. This can lead to unauthorized access to sensitive information stored or displayed by those apps, potentially compromising user privacy and confidentiality. Although the vulnerability does not grant additional execution privileges or allow remote exploitation, the ability to bypass security controls without user interaction increases the risk for users who might lose physical control of their devices or have malicious apps installed. Organizations relying on Android devices for sensitive communications or data storage could face data leakage risks, especially in environments where devices are shared or physically accessible by untrusted individuals. The impact is app-dependent, so apps with weak internal protections or sensitive data exposure are at higher risk. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits in the future.

1. Apply official security patches from Google as soon as they become available for Android versions 14, 15, and 16 to address the missing permission check in KeyguardServiceDelegate.java. 2. Until patches are deployed, limit physical access to devices and avoid leaving devices unattended to reduce risk of local exploitation. 3. Review and harden app-level security controls, especially for apps handling sensitive data, to minimize impact from unauthorized interactions. 4. Implement device management policies that restrict installation of untrusted apps and enforce strong lock screen authentication methods. 5. Monitor device behavior for unusual app interactions or unauthorized access attempts that could indicate exploitation of this vulnerability. 6. Educate users about the risks of leaving devices unlocked or unattended and the importance of applying updates promptly. 7. For organizations, consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous local app interactions.