Skip to main content

Google Android CVE-2026-0055

| EUVDEUVD-2026-33782 MEDIUM
Path Traversal (CWE-22)
2026-06-01 google_android GHSA-r8c4-7j88-47m9
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 17:29 vuln.today
CVSS changed
Jun 02, 2026 - 17:22 NVD
6.2 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 6.2
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Path traversal in Android's PackageInstallerService allows a local, unprivileged attacker to redirect a Device Policy Controller (DPC) installation into an unintended filesystem directory via a crafted install session, enabling local escalation of privilege on Android 14 through Android 16. No public exploit code has been identified at time of analysis, and EPSS at 0.01% (1st percentile) reflects minimal observed exploitation probability. The local attack vector (AV:L) constrains real-world exposure to scenarios where the attacker already has physical or application-level access to the device, materially limiting the attack surface compared to network-exploitable flaws.

Technical ContextAI

The vulnerability (CWE-22: Path Traversal) resides in the createSessionInternal method of PackageInstallerService.java, the Android OS component that manages package installation sessions. When constructing or resolving the target directory for a DPC update, the service fails to adequately sanitize user-supplied path components, permitting traversal sequences to redirect the DPC placement to an unintended filesystem location outside the intended installation directory. Device Policy Controllers are privileged Android components central to Android Enterprise and MDM/EMM-managed device deployments, making this flaw especially relevant in enterprise environments. Affected products per CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* span Android 14, 15, 16-qpr2, and 16 as confirmed by EUVD-2026-33782.

RemediationAI

Apply the June 2026 Android Security Patch Level (2026-06-01) as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM and carrier-distributed patches may lag behind the AOSP baseline; device administrators should verify their specific device vendor's patch availability and deployment status. Enterprise environments using Android Enterprise or MDM solutions with active DPC deployments should prioritize patching given the DPC-specific attack surface of this vulnerability. If immediate patching is not feasible, restricting the installation of unknown or sideloaded applications (disabling 'Install unknown apps' in device settings or enforcing this via MDM policy) reduces the likelihood of a malicious application invoking PackageInstallerService in an exploit attempt, though this is not a complete mitigation for applications already present on the device. No additional compensating controls are documented in available sources.

Share

CVE-2026-0055 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy