Description
In setPackageOrComponentEnabled of ManagedServices.java, there is a possible notification policy desync due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Privilege Escalation
Action: Patch Promptly
AI Analysis

Impact

Improper input validation in the setPackageOrComponentEnabled function of Android’s ManagedServices module can desynchronize notification policy state, allowing a local attacker to gain elevated privileges without requiring any existing execution rights. The flaw does not need user interaction and can be triggered by exploiting the notification policy desynchronization to manipulate internal system components.

Affected Systems

This vulnerability affects Android operating systems 14.0, 15.0, and 16.0, including the three beta releases (16.0‑qpr2_beta_1, 16.0‑qpr2_beta_2, 16.0‑qpr2_beta_3).

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time; the flaw is not included in the CISA Known Exploited Vulnerabilities catalog. The attack vector is local, with no need for user interaction, meaning any user with access to the device could potentially exploit the flaw by invoking the vulnerable function through a malicious or compromised app.

Generated by OpenCVE AI on April 16, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android security patch or update the device to a version that includes the fix for this vulnerability.
  • If an update is not yet available, temporarily disable or reset the affected notification policy settings to revert to a default state.
  • Monitor device logs and security events for signs of privilege escalation or anomalous notification service behavior.

Generated by OpenCVE AI on April 16, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Improper Input Validation in Android ManagedServices

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In setPackageOrComponentEnabled of ManagedServices.java, there is a possible notification policy desync due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:56:41.563Z

Reserved: 2025-10-15T15:39:19.150Z

Link: CVE-2026-0034

cve-icon Vulnrichment

Updated: 2026-03-02T20:43:56.233Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:31.550

Modified: 2026-03-06T04:16:06.463

Link: CVE-2026-0034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses