Skip to main content

Android CVE-2026-0068

| EUVDEUVD-2026-37561 CRITICAL
Race Condition (CWE-362)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Local app install vector (AV:L), explicit user interaction required (UI:R), no prior privileges (PR:N); DPC removal crosses the management security authority so S:C with full C/I/A impact on the managed device.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:28 vuln.today
CVE Published
Jun 17, 2026 - 06:49 cve.org
CRITICAL 10.0

DescriptionCVE.org

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

AnalysisAI

Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Lure user on managed device
Delivery
User sideloads malicious app
Exploit
App opens PackageInstaller session
Install
Trigger createSessionInternal desync
C2
Persisted state bypasses DO consent check
Execute
DPC silently removed
Impact
Device falls out of MDM management

Vulnerability AssessmentAI

Exploitation The device must be enrolled in an Android Enterprise managed configuration with a Device Owner DPC installed (otherwise there is nothing to remove), and the victim user must install and run an attacker-supplied app on that device - meaning sideloading or installation from a non-vetted source must be permitted by policy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and should be reconciled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a malicious app (e.g., a repackaged utility on a third-party store) and social-engineers an employee with a corporate-managed Android device into installing it. On launch, the app abuses the createSessionInternal desync to issue an uninstall session targeting the enterprise DPC package; because the persisted state is out of sync with the policy check, the uninstall succeeds without Device Owner consent, leaving the device unmanaged and free of MDM controls. …
Remediation Patch available per vendor advisory - apply the Android security patch level published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/android-17) once it is offered by your device OEM, and ensure managed-fleet devices are pinned to that or a later SPL via MDM compliance policy. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Android devices in MDM deployments and audit current Device Policy Controller configurations; enable enhanced monitoring and alerting for suspicious app installations on managed devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0068 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy