Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
In setUserDisclaimerAcknowledged of CarDevicePolicyService.java, there is a possible way to bypass the user dialog when adding an account to a managed device due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 14 and 15 allows a low-privileged app to bypass the user disclaimer dialog when adding an account to a managed automotive device, due to a missing permission check in CarDevicePolicyService.setUserDisclaimerAcknowledged. The flaw enables silent account provisioning on managed (enterprise) car devices without the user's awareness or consent, and no public exploit is identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation as 'none', so the issue is real but not currently weaponized.
Technical ContextAI
The vulnerability lives in CarDevicePolicyService.java, part of the Android Automotive (Car) framework used by Android-based in-vehicle infotainment systems and managed by Device Policy Manager APIs. The setUserDisclaimerAcknowledged method is intended to be callable only after the user has interactively seen and accepted a disclaimer when an enterprise/managed account is provisioned, but the method omits the caller-side permission check that gates this state transition. This is a textbook CWE-862 (Missing Authorization) issue: the trusted internal state ('user has acknowledged the disclaimer') can be set by an unprivileged caller, short-circuiting an explicit security UX control built into Android's managed-device account flow. The affected platform identified by CPE is cpe:2.3:a:google:android (any version field), with EUVD scoping the practical impact to Android 14 and Android 15 automotive builds.
RemediationAI
Apply the patch level from the Android Security Bulletin dated 2026-06-01 (https://source.android.com/docs/security/bulletin/2026/2026-06-01) on all Android 14 and Android 15 Automotive devices; the bulletin lists the exact source-tree fix for CarDevicePolicyService.setUserDisclaimerAcknowledged and the corresponding security patch level OEMs must ship. Vehicle OEMs and fleet operators should coordinate the OTA rollout with their Tier-1 supplier, since Android Automotive patches lag mainline Android and are gated by per-OEM release trains. As a compensating control until the OTA lands, restrict which apps can be sideloaded or pre-installed on managed car devices via Device Owner allow-listing, and avoid enrolling vehicles into managed-account workflows that rely on the disclaimer dialog for user awareness - the trade-off is reduced enterprise account-provisioning convenience. Generic compensating controls such as 'don't install untrusted apps' are weak here because exploitation only requires PR:L (any low-privileged app), so app vetting on the head unit is the highest-leverage interim mitigation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210010
GHSA-972f-8p3j-73wm