Description
In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Android’s DisableSupervisionActivity.kt, a missing null check allows an app or process to call the activity’s onCreate and delete the device’s supervision data without proper authorization. Removing this data removes critical device‑supervision controls and grants the attacker elevated privileges within the management context, compromising confidentiality, integrity, and availability of the supervised state. The flaw only requires local access and does not need additional execution privileges.

Affected Systems

Android OS on devices manufactured by Google. The vulnerability exists in the DisableSupervisionActivity.kt component, which is part of the system image. No specific version numbers are identified in the advisory, so all builds containing this component are potentially affected.

Risk and Exploitability

The CVSS score of 6.8 marks this issue as medium severity. With an EPSS score of less than 1 % the likelihood of real‑world exploitation appears low, and CISA has not listed it in its KEV catalog. Exfiltration or escalation typically requires a local user or process to launch or trigger the activity, but no user interaction is needed; once a malicious component can invoke the activity, it can delete the supervision data without further privileges.

Generated by OpenCVE AI on June 2, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android OS update that includes the fix for the null‑check omission in DisableSupervisionActivity.kt
  • Verify that device‑management policies are configured so that only privileged system components can modify or invoke supervision data; disable or restrict the activity to non‑system apps
  • Monitor device logs for unexpected calls to DisableSupervisionActivity and investigate any anomalous activity

Generated by OpenCVE AI on June 2, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Null Check Omission in Android Supervision Deletion
Weaknesses CWE-264
CWE-285

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Null Check Omission in Android Supervision Deletion
First Time appeared Google
Google android
Weaknesses CWE-264
CWE-285
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T15:40:22.852Z

Reserved: 2025-10-15T15:42:42.962Z

Link: CVE-2026-0086

cve-icon Vulnrichment

Updated: 2026-06-02T15:40:19.102Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-01T22:16:22.340

Modified: 2026-06-02T17:16:25.160

Link: CVE-2026-0086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:00:19Z

Weaknesses