Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android 16-QPR2 enables an unprivileged local actor to delete device supervision data by exploiting a missing null check in the onCreate() method of DisableSupervisionActivity.kt, effectively dismantling enterprise MDM controls without requiring elevated privileges or user interaction. The flaw (CWE-269: Improper Privilege Management) is bounded to local access but operates with no authentication prerequisite, making it exploitable by any installed app or local user on a supervised managed device. No public exploit identified at time of analysis, and an EPSS of 0.01% reflects negligible observed exploitation probability; however, organizational risk in enterprise Android deployments is disproportionately higher than the base score suggests.
Technical ContextAI
The vulnerability resides in DisableSupervisionActivity.kt, a component of Android's enterprise device supervision framework, within the Activity lifecycle callback onCreate(). A missing null check on an expected input or object reference allows an attacker to trigger the supervision data deletion path without proper validation or privilege enforcement. CWE-269 (Improper Privilege Management) identifies the root cause as a failure to enforce appropriate privilege boundaries during a sensitive operation - supervision data deletion - which should be guarded against unprivileged invocation. Android device supervision is the mechanism used by MDM (Mobile Device Management) solutions and parental controls to enforce organizational policies on enrolled devices. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers the Android application platform layer, with ENISA EUVD-2026-33798 narrowing the confirmed affected surface to Android 16-QPR2 specifically.
RemediationAI
Apply the security update documented in Google's Android Security Bulletin for June 1, 2026, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01; the exact patched build number should be verified directly from that bulletin, as no specific patched release version is independently confirmed in the available data. OEM device manufacturers typically distribute these patches through standard over-the-air update channels, so enterprise administrators should verify which OEM builds incorporate the June 2026 SPL (Security Patch Level). For enterprise environments where immediate patching is delayed, administrators should evaluate restricting invocation of DisableSupervisionActivity via MDM policy configuration - note this trade-off may interfere with legitimate supervision lifecycle management workflows. Limiting physical and logical device access to trusted personnel reduces exposure in the interim. No workaround is confirmed in the provided data beyond the vendor patch.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33798
GHSA-vgqp-c67c-r79g