Description
In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In several functions of PackageInstallerService.java a missing permission check allows the installation of unverified applications. An attacker who can run code on the device can install any APK without user confirmation, giving the app elevated system privileges. The vulnerability does not require any special execution privileges or user interaction, so a local attacker can execute it immediately.

Affected Systems

Google Android devices are affected. Specific Android versions are not listed, but any system where PackageInstallerService.java includes the identified code may be vulnerable.

Risk and Exploitability

The flaw provides a local attack vector with no need for additional privileges or user action, making it highly exploitable by users with physical or local access. No EPSS data is available and the CVE is not listed in the CISA KEV catalog, and the CVSS score of 7.8 indicates a high severity. An attacker could install malicious apps that can then perform privileged actions, potentially compromising all data on the device.

Generated by OpenCVE AI on June 2, 2026 at 03:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security patch that corrects the missing permission check in PackageInstallerService.java.
  • Disable installation of apps from unknown sources or enable Play Protect restrictions until a patch is applied.
  • Monitor system logs for unexpected PackageInstallerService events or unverified app installations and enforce device integrity checks.

Generated by OpenCVE AI on June 2, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Android PackageInstallerService Missing Permission Check Enables Local Privilege Escalation
Weaknesses CWE-285

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Android PackageInstallerService Missing Permission Check Enables Local Privilege Escalation
First Time appeared Google
Google android
Weaknesses CWE-285
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-02T03:56:23.439Z

Reserved: 2025-10-15T15:42:47.559Z

Link: CVE-2026-0089

cve-icon Vulnrichment

Updated: 2026-06-01T23:14:34.720Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:22.640

Modified: 2026-06-02T00:16:36.290

Link: CVE-2026-0089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T03:30:26Z

Weaknesses