Description
In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Android, the DevicePolicyManagerService has a flaw that allows an application to hide a critical system package by sending malformed input. The improper validation results in the system becoming unable to access an essential package, causing a local denial of service. Because the vulnerability operates entirely within the device, it does not grant additional execution privileges but can disable vital system functions for the user. The weakness is rooted in inadequate input validation.

Affected Systems

The vulnerability affects Android devices managed through the DevicePolicyManagerService. The specific Android versions or build identifiers are not listed in the provided data, so all devices running affected Android releases are potentially vulnerable.

Risk and Exploitability

The attack can be carried out by a malicious or compromised local app without any user interaction. No remote execution or access is required. The CVSS score is 5.5, and the EPSS score is unavailable; the vulnerability is not listed in CISA's KEV catalog. Consequently, while the exact exploitation probability is unknown, local privilege escalation is not needed, making it a straightforward local denial of service that could impact system availability.

Generated by OpenCVE AI on June 2, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Android to the latest security patch that addresses this DevicePolicyManagerService flaw
  • If a patch is unavailable, remove or disable the affected device administration app or disable its privileges
  • Review and audit the list of device admin applications to ensure only trusted apps have admin rights
  • Configure device settings to prevent hiding of critical packages, if such an option exists
  • Apply vendor‑issued security advisories promptly and monitor for related updates

Generated by OpenCVE AI on June 2, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Android DevicePolicyManagerService Failure Causing Local Denial of Service

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Android DevicePolicyManagerService Failure Causing Local Denial of Service
First Time appeared Google
Google android
Weaknesses CWE-20
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:20:38.226Z

Reserved: 2025-10-15T15:40:53.641Z

Link: CVE-2026-0070

cve-icon Vulnrichment

Updated: 2026-06-01T23:20:35.021Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:21.467

Modified: 2026-06-02T00:16:35.527

Link: CVE-2026-0070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:00:14Z

Weaknesses