Skip to main content

Google Android CVE-2026-0070

| EUVDEUVD-2026-33789 MEDIUM
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-4wfp-3h3p-2j5x
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:32 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local denial of service in Google Android's DevicePolicyManagerService allows an authenticated local attacker to hide system-critical packages through improper input validation, rendering affected device functionality unavailable. Impacted versions span Android 14, 15, 16, and 16-qpr2, as confirmed in the June 2026 Android Security Bulletin. No public exploit or CISA KEV listing exists at time of analysis, and exploitation requires only low-level local privileges with no user interaction.

Technical ContextAI

DevicePolicyManagerService.java is a core Android system service responsible for enforcing enterprise device management policies (MDM/EMM). The vulnerability stems from CWE-20 (Improper Input Validation) across multiple functions within this service, allowing a crafted input to manipulate package visibility logic and cause a system-critical package to be hidden from the device. When essential packages are hidden, dependent system functionality can fail, producing a local denial of service. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, and the vulnerability spans four distinct Android release trains (14, 15, 16, and the 16-QPR2 quarterly platform release), indicating the defect exists in a shared code path across a broad Android codebase lineage.

RemediationAI

Apply the June 2026 Android Security Bulletin patch, available via the vendor advisory at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers (OEMs) must integrate and distribute this patch through their own update channels, so end-users should apply the latest available OEM security update for their device. An exact patched version number beyond the June 2026 patch level was not independently confirmed from the available source data. For enterprise environments, Mobile Device Management administrators should prioritize patch deployment enforcement across managed fleets given the direct involvement of DevicePolicyManagerService. In the absence of immediate patch availability from a device OEM, restricting side-loaded or untrusted application installation reduces the chance of a local attacker gaining the low-privilege access needed to trigger the vulnerability, though this is a partial compensating control only.

Share

CVE-2026-0070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy