Description
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Android PackageInstallerService allows a user to remove a Device Policy Controller application from a managed device without explicit Device Owner consent. This desynchronization in persistence handling could let a malicious app, once installed by a user, cause a privileged application to be uninstalled or disabled, effectively elevating the app’s access on the device. The impact is local exploitation that provides broader control over the device’s managed functions, while remaining limited to the device where the user installs the malicious app. The weakness corresponds to improper authorization and omission of required approval steps.

Affected Systems

The affected product is Google Android. Any Android devices that run the legacy PackageInstallerService implementation prior to the fix are vulnerable. No specific version numbers are listed in the CNA data, but the issue appears in older managed device environments prior to the Android 17 update. Users on these devices should verify their OS version and apply any available security patches.

Risk and Exploitability

The CVSS score of 10 indicates a critical level of severity. The EPSS score of less than 1% signals that the likelihood of exploitation is low; however, the ability to remove a high‑privilege app could have severe consequences for any managed device. The vulnerability is not currently listed in CISA’s KEV catalog, which partially reflects the low real‑world exploitation probability. Attackers must have local device access and the victim must install a malicious application. The attack vector is therefore user‑initiated, requiring the victim to intentionally run an untrusted app. Given the high impact, users should treat this as a priority for patching.

Generated by OpenCVE AI on June 17, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Android operating system to the latest available release that includes the fix for the desynchronization issue
  • Disable installation of Device Policy Controller applications from unknown or untrusted sources, and enforce administrative approval for any removal of such apps
  • Review device management policies to ensure that removal of privileged applications requires explicit Device Owner consent and re‑enable any silent removal mechanisms after patching

Generated by OpenCVE AI on June 17, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T14:17:31.940Z

Reserved: 2025-10-15T15:40:50.621Z

Link: CVE-2026-0068

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T08:30:04Z

Weaknesses

No weakness.