Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local app install vector (AV:L), explicit user interaction required (UI:R), no prior privileges (PR:N); DPC removal crosses the management security authority so S:C with full C/I/A impact on the managed device.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
AnalysisAI
Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The device must be enrolled in an Android Enterprise managed configuration with a Device Owner DPC installed (otherwise there is nothing to remove), and the victim user must install and run an attacker-supplied app on that device - meaning sideloading or installation from a non-vetted source must be permitted by policy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be reconciled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a malicious app (e.g., a repackaged utility on a third-party store) and social-engineers an employee with a corporate-managed Android device into installing it. On launch, the app abuses the createSessionInternal desync to issue an uninstall session targeting the enterprise DPC package; because the persisted state is out of sync with the policy check, the uninstall succeeds without Device Owner consent, leaving the device unmanaged and free of MDM controls. … |
| Remediation | Patch available per vendor advisory - apply the Android security patch level published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/android-17) once it is offered by your device OEM, and ensure managed-fleet devices are pinned to that or a later SPL via MDM compliance policy. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Android devices in MDM deployments and audit current Device Policy Controller configurations; enable enhanced monitoring and alerting for suspicious app installations on managed devices. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-362 – Race Condition
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37561