Description
In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the createSessionInternal method of PackageInstallerService.java, where a missing permission check allows an application to change its own ownership. This omission can enable a local privilege escalation, granting the application elevated privileges without requiring any additional execution capabilities. The flaw does not need user interaction, meaning a malicious app can exploit it silently on the device.

Affected Systems

Android operating systems from version 14.0 onwards, including 14.0, 15.0, 16.0, and the 16.0 qpr2 beta 1, beta 2, and beta 3 releases, are affected across devices manufactured by Google and devices using the Android platform.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS score of less than 1% shows a low current exploitation probability. The flaw is not listed in CISA's KEV catalog. An attacker can exploit the issue from any local application on the device, using the missing permission check to gain higher-level privileges. Because no user interaction is required, the attack vector is local and the impact is confined to the device owner’s environment.

Generated by OpenCVE AI on April 16, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android OS update that contains the fix for CVE-2026-0023.
  • If an update is unavailable, restrict app installation to trusted sources and revoke any unnecessary system permissions that allow package manipulation.
  • Use device security monitoring to detect suspicious PackageInstallerService activity and consider imposing enterprise app management policies to limit installation privileges.

Generated by OpenCVE AI on April 16, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Missing Permission Check in Android PackageInstallerService

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
CPEs cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:* cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 03 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Weaknesses CWE-862
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*
Vendors & Products Google
Google android
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-11T15:02:28.452Z

Reserved: 2025-10-15T15:38:59.885Z

Link: CVE-2026-0023

cve-icon Vulnrichment

Updated: 2026-03-03T14:48:10.421Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:30.460

Modified: 2026-03-06T04:16:04.743

Link: CVE-2026-0023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:00:10Z

Weaknesses