Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In performPreInstallChecks of InstallRepository.kt, there is a possible way to bypass MDM policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Android 15, 16, and 16-qpr2 enables a low-privileged process to bypass Mobile Device Management (MDM) policy controls through a logic error in the InstallRepository.kt performPreInstallChecks function. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%, but the flaw permits silent policy circumvention without user interaction on enterprise-managed devices. Patched in the June 2026 Android Security Bulletin.
Technical ContextAI
The vulnerability resides in InstallRepository.kt, part of the Android PackageInstaller component responsible for validating application installations against device policy. The performPreInstallChecks function is intended to evaluate whether a proposed install is permitted under active MDM (Device Owner / Profile Owner) restrictions configured through DevicePolicyManager. CWE-693 (Protection Mechanism Failure) characterizes the root cause: a logic error in this check allows the protective control to be evaded rather than failing closed. Per the CPE (cpe:2.3:a:google:android:*) and EUVD affected-versions data, this affects Google Android 15, 16, and 16-qpr2 across the AOSP install pipeline.
RemediationAI
Apply the June 2026 Android Security Bulletin patch level (2026-06-01 or later) via OEM OTA updates as soon as it is offered for affected devices; the fix is published at https://source.android.com/docs/security/bulletin/2026/2026-06-01 and the patch is available per vendor advisory. Enterprises managing fleets via EMM/MDM should track per-OEM rollout, prioritize devices on Android 15, 16, and 16-qpr2, and use MDM compliance rules to flag or quarantine devices whose security patch level is older than 2026-06-01. As a compensating control until patched, restrict installation sources by disabling 'Install unknown apps' for all user profiles via DevicePolicyManager (UserManager.DISALLOW_INSTALL_UNKNOWN_SOURCES) and limit physical/USB/ADB access (set DISALLOW_DEBUGGING_FEATURES) - these reduce the local foothold needed but will block sideloading workflows some users depend on.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210017
GHSA-92cc-jfh8-g56m