External risk intelligence

Android Privilege Escalation via Carrier Restriction Bypass.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-0063

A logic error in Android's phone interface manager allows for disabling carrier restrictions, potentially leading to local privilege escalation on a device. This vulnerability does not require user interaction or network access. Confirmation is needed to determine the specific relevance and reachability of this flaw wi

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

This vulnerability affects PhoneInterfaceManager.java, a component within the Android telephony stack responsible for managing local device carrier restrictions. It is inherently a local, device-level function that is not exposed to or reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A logic error in Android's phone interface manager could allow unauthorized disabling of carrier restrictions, potentially leading to privilege escalation on a device without user interaction. The main concern is confirming relevance and exposure, as this vulnerability appears to be local to the device and not exploitable over the network.

Logic error bypasses carrier restrictions.
Local privilege escalation is possible.
Confirm relevance and local exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by initiating a local action on a device, targeting the `setAllowedCarriers` function within the PhoneInterfaceManager. This function's logic error allows for the disabling of carrier restrictions, potentially leading to privilege escalation.

No network access required.
Triggered by modifying carrier settings.
Allows local privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could potentially allow an attacker to bypass carrier restrictions on a device, leading to a local privilege escalation. User interaction is not required for exploitation, and the flaw exists within the `setAllowedCarriers` function in `PhoneInterfaceManager.java`.

Device carrier restrictions could be disabled.
Logic error allows privilege escalation.
Unauthorized control over carrier settings.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Android's telephony stack allows for local privilege escalation without user interaction. The affected component, `setAllowedCarriers` within `PhoneInterfaceManager.java`, has a logic error that could disable carrier restrictions. Given this is a local privilege escalation, the primary responsibility falls to device owners and administrators to identify affected devices, assess business criticality, and plan remediation, potentially involving coordination with mobile device management (MDM) or original equipment manufacturers (OEMs) if direct patching is not feasible.

Identify affected devices and owners.
Verify reachability and business criticality.
Plan phased remediation or risk reduction.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-0063 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for local privilege escalation and could lead to a PCI ASV scan failure. Remediation is likely required before a passing attestation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is PhoneInterfaceManager.java in Android?

PhoneInterfaceManager.java is a core component of the Android telephony stack. It handles communication between the operating system and the device's cellular hardware. Its primary role is managing carrier-specific settings, such as SIM card authentication and carrier restriction policies, which dictate how a device connects to and operates on specific mobile networks.

How does CVE-2026-0063 function as a security flaw?

This vulnerability is classified as Improper Privilege Management (CWE-269). A logic error exists within the 'setAllowedCarriers' function, which is designed to enforce carrier restrictions. Because of this flaw, the system can be manipulated to incorrectly disable these restrictions, allowing a user or process to gain higher levels of system control than normally permitted.

Do I need to interact with the device to trigger CVE-2026-0063?

No. The vulnerability does not require user interaction to be triggered. However, exploitation is dependent on local access. Because the flaw is rooted in internal device telephony management, it cannot be triggered remotely or through network-based requests; it requires a local action initiated directly on the device hardware.

Is my device at risk based on Halo Surface Signal?

According to Halo Surface Signal, this vulnerability is considered very unlikely to pose a risk to most environments. Because the affected PhoneInterfaceManager component operates entirely at the local device level, it is not exposed to or reachable from the public internet. It is an internal device function, not a network service.

How should I respond to CVE-2026-0063?

Since this is a local privilege escalation issue, prioritize identifying devices within your organization that may be running vulnerable versions of Android. Assess the business risk of these devices and coordinate with your mobile device management team or the original equipment manufacturer (OEM) to plan for and apply necessary system updates or security patches.

References

source.android.com/docs/security/bulletin/android-17

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.