Skip to main content

Android CVE-2026-0089

| EUVDEUVD-2026-33801 HIGH
Improper Privilege Management (CWE-269)
2026-06-01 google_android GHSA-qm8c-qr7p-cv43
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:23 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
7.8 (HIGH)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
HIGH 7.8

DescriptionCVE.org

In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android (16-qpr2) allows a low-privileged local app to install unverified applications by abusing missing permission checks in PackageInstallerService.java. The flaw requires no user interaction and no public exploit identified at time of analysis, but its presence on Android's app install path makes it a strong candidate for inclusion in malicious app payloads.

Technical ContextAI

The vulnerability resides in Android's PackageInstallerService, the system-level service responsible for handling APK installation, session management, and verification of app packages. Per the description, multiple functions in PackageInstallerService.java omit a required permission check, which falls under CWE-269 (Improper Privilege Management) - a class of bugs where security-sensitive operations are executed without confirming the caller holds the necessary capability. The affected platform per CPE is cpe:2.3:a:google:android, with the EUVD record specifying Android 16-qpr2 (Quarterly Platform Release 2).

RemediationAI

Apply the Android Security Bulletin patch level 2026-06-01 or later, which addresses this issue in PackageInstallerService - see https://source.android.com/docs/security/bulletin/2026/2026-06-01 for the bulletin and OEM-specific patch references. Patch available per vendor advisory; an exact fix version string for 16-qpr2 is not independently confirmed in the provided data, so device owners should consult their OEM's June 2026 security patch level. Until patched, restrict installation of untrusted third-party apps (disable 'Install unknown apps' for all sources), enforce Play Protect, and on managed fleets use MDM policies to block sideloading and require minimum security patch level - note these controls reduce but do not eliminate risk, since a malicious app delivered through any channel could trigger the flaw.

Share

CVE-2026-0089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy