External risk intelligence

Android NFC Use After Free Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-0083

A vulnerability in Android's NFC component could allow local privilege escalation through a use-after-free error caused by a race condition. This flaw is reachable and relevant for local attacks, and requires no user interaction or additional privileges to exploit, potentially impacting system data and service behavior

1Halo Surface Signal

Use After Free

Google Android

17.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-0083

The vulnerability exists in the NFC (Near Field Communication) subsystem of the Android operating system. NFC is a short-range wireless technology that requires physical proximity to a device to interact, making it inherently local and not reachable via the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-0083

Yes

CVE-2026-0083 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Android allows for local privilege escalation without user interaction. The Critical severity and network attack vector make it a high risk for systems processing payment card information.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A recently identified vulnerability in the Android operating system's NFC component could allow an attacker to escalate privileges on a device without needing any special permissions or user interaction. This is due to a race condition leading to a use-after-free error within the NFC event handling.

  • Issue: A flaw in NFC code allows privilege escalation.
  • Why remember: Affects a core system component.
  • Executive takeaway: Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by triggering a race condition within the NFC component's event callback function. This could involve manipulating the timing of operations related to NFC event handling. The vulnerability resides in the Nfc::eventCallback() function in Nfc.h.

  • Local privilege escalation is possible.
  • Race condition in NFC event handling.
  • No additional privileges needed.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect system data and service behavior due to a use-after-free race condition in the NFC component. When supported by the advisory, this could allow for privilege escalation on a local device.

  • System data and service behavior.
  • Race condition allows unauthorized access.
  • Local privilege escalation.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the NFC component of Android could allow for local privilege escalation. Identifying affected devices, confirming business criticality and reachability, and assigning ownership are the critical first steps. Remediation planning should then be based on the assessed risk.

  • Ownership: Android platform and security teams.
  • Verify first: Device reachability and criticality.
  • Action: Plan remediation based on risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Android NFC component affected by CVE-2026-0083?

The NFC component is the subsystem within the Android operating system that manages Near Field Communication. This technology enables short-range wireless data exchange between your phone and other devices, such as payment terminals or digital key readers. CVE-2026-0083 specifically involves the code responsible for handling NFC events, which acts as the bridge between hardware signals and system software processes.

How does this use-after-free vulnerability work?

This is a memory management error classified as CWE-362, which refers to a race condition. It occurs when a program tries to use a piece of memory after it has already been cleared or freed. Because of a timing conflict in the software, the system accidentally accesses this 'stale' memory location while performing operations, potentially allowing an attacker to manipulate the system state and gain unauthorized control.

Does this vulnerability trigger over the internet?

No. Despite the network-related technical classification in some frameworks, the vulnerability relies on the NFC subsystem. Since NFC requires physical proximity to communicate, it cannot be triggered remotely over the internet. The bug specifically requires the device to process NFC-related events, meaning operations that do not involve active NFC communication or proximity to an NFC device will not trigger the flaw.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that this vulnerability is very unlikely to be reachable in most environments. Because the issue is tied to the physical NFC hardware subsystem, it requires local proximity rather than internet exposure. If your device is not physically near an attacker-controlled NFC transmitter, the risk remains minimal for typical usage scenarios.

What steps should I take if I use Android 17.0?

First, identify which devices in your fleet are running Android 17.0 to determine your total inventory. Next, assess the criticality of these devices based on how they are used and who has physical access to them. Coordinate with your platform security team to monitor for official vendor updates. Prioritize patching for devices that handle highly sensitive information or are accessible to unauthorized individuals in public spaces.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished