Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
Fingerprint Unlock Vulnerability in Android Biometric App
CVE-2026-0017
ASB-A-444673089
Summary
A flaw in the Android fingerprint unlock system could allow unauthorized access to the device without a password or PIN. This means that an attacker could potentially access sensitive information and take control of the device. Users should update the affected app to the latest version to fix this issue.
What to do
- Update google platform/frameworks/base to version 16-qpr2-next:2026-03-01.
- Update google platform/packages/apps/settings to version 16-qpr2-next:2026-03-01.
- Update google platform/frameworks/base to version 16:2026-03-01.
- Update google platform/packages/apps/settings to version 16:2026-03-01.
- Update google platform/frameworks/base to version 16-qpr2:2026-03-01.
- Update google platform/packages/apps/settings to version 16-qpr2:2026-03-01.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| android | 16.0 | – | |
| platform/frameworks/base | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/packages/apps/settings | > 16-qpr2-next:0 , <= 16-qpr2-next:2026-03-01 | 16-qpr2-next:2026-03-01 | |
| platform/frameworks/base | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/packages/apps/settings | > 16:0 , <= 16:2026-03-01 | 16:2026-03-01 | |
| platform/frameworks/base | > 16-qpr2:0 , <= 16-qpr2:2026-03-01 | 16-qpr2:2026-03-01 | |
| platform/packages/apps/settings | > 16-qpr2:0 , <= 16-qpr2:2026-03-01 | 16-qpr2:2026-03-01 |
Original title
In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional exec...
Original description
In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
nvd CVSS3.1
7.7
Vulnerability type
CWE-285
Improper Authorization
CWE-693
Protection Mechanism Failure
- https://source.android.com/docs/security/bulletin/2026/2026-03-01
- https://source.android.com/security/bulletin/2026-03-01 Vendor Advisory
- https://android.googlesource.com/platform/packages/apps/Settings/+/7d8fbee887fc9... Patch
- https://android.googlesource.com/platform/frameworks/base/+/cea235f00865ff73344f... Patch
Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026