Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Path traversal in Android's PackageInstallerService allows a local, unprivileged attacker to redirect a Device Policy Controller (DPC) installation into an unintended filesystem directory via a crafted install session, enabling local escalation of privilege on Android 14 through Android 16. No public exploit code has been identified at time of analysis, and EPSS at 0.01% (1st percentile) reflects minimal observed exploitation probability. The local attack vector (AV:L) constrains real-world exposure to scenarios where the attacker already has physical or application-level access to the device, materially limiting the attack surface compared to network-exploitable flaws.
Technical ContextAI
The vulnerability (CWE-22: Path Traversal) resides in the createSessionInternal method of PackageInstallerService.java, the Android OS component that manages package installation sessions. When constructing or resolving the target directory for a DPC update, the service fails to adequately sanitize user-supplied path components, permitting traversal sequences to redirect the DPC placement to an unintended filesystem location outside the intended installation directory. Device Policy Controllers are privileged Android components central to Android Enterprise and MDM/EMM-managed device deployments, making this flaw especially relevant in enterprise environments. Affected products per CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* span Android 14, 15, 16-qpr2, and 16 as confirmed by EUVD-2026-33782.
RemediationAI
Apply the June 2026 Android Security Patch Level (2026-06-01) as documented in the Android Security Bulletin at https://source.android.com/docs/security/bulletin/2026/2026-06-01. OEM and carrier-distributed patches may lag behind the AOSP baseline; device administrators should verify their specific device vendor's patch availability and deployment status. Enterprise environments using Android Enterprise or MDM solutions with active DPC deployments should prioritize patching given the DPC-specific attack surface of this vulnerability. If immediate patching is not feasible, restricting the installation of unknown or sideloaded applications (disabling 'Install unknown apps' in device settings or enforcing this via MDM policy) reduces the likelihood of a malicious application invoking PackageInstallerService in an exploit attempt, though this is not a complete mitigation for applications already present on the device. No additional compensating controls are documented in available sources.
Same weakness CWE-22 – Path Traversal
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33782
GHSA-r8c4-7j88-47m9