Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local denial of service in Google Android's DevicePolicyManagerService allows an authenticated local attacker to hide system-critical packages through improper input validation, rendering affected device functionality unavailable. Impacted versions span Android 14, 15, 16, and 16-qpr2, as confirmed in the June 2026 Android Security Bulletin. No public exploit or CISA KEV listing exists at time of analysis, and exploitation requires only low-level local privileges with no user interaction.
Technical ContextAI
DevicePolicyManagerService.java is a core Android system service responsible for enforcing enterprise device management policies (MDM/EMM). The vulnerability stems from CWE-20 (Improper Input Validation) across multiple functions within this service, allowing a crafted input to manipulate package visibility logic and cause a system-critical package to be hidden from the device. When essential packages are hidden, dependent system functionality can fail, producing a local denial of service. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, and the vulnerability spans four distinct Android release trains (14, 15, 16, and the 16-QPR2 quarterly platform release), indicating the defect exists in a shared code path across a broad Android codebase lineage.
RemediationAI
Apply the June 2026 Android Security Bulletin patch, available via the vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers (OEMs) must integrate and distribute this patch through their own update channels, so end-users should apply the latest available OEM security update for their device. An exact patched version number beyond the June 2026 patch level was not independently confirmed from the available source data. For enterprise environments, Mobile Device Management administrators should prioritize patch deployment enforcement across managed fleets given the direct involvement of DevicePolicyManagerService. In the absence of immediate patch availability from a device OEM, restricting side-loaded or untrusted application installation reduces the chance of a local attacker gaining the low-privilege access needed to trigger the vulnerability, though this is a partial compensating control only.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33789
GHSA-4wfp-3h3p-2j5x