Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android (16-qpr2) allows a low-privileged local app to install unverified applications by abusing missing permission checks in PackageInstallerService.java. The flaw requires no user interaction and no public exploit identified at time of analysis, but its presence on Android's app install path makes it a strong candidate for inclusion in malicious app payloads.
Technical ContextAI
The vulnerability resides in Android's PackageInstallerService, the system-level service responsible for handling APK installation, session management, and verification of app packages. Per the description, multiple functions in PackageInstallerService.java omit a required permission check, which falls under CWE-269 (Improper Privilege Management) - a class of bugs where security-sensitive operations are executed without confirming the caller holds the necessary capability. The affected platform per CPE is cpe:2.3:a:google:android, with the EUVD record specifying Android 16-qpr2 (Quarterly Platform Release 2).
RemediationAI
Apply the Android Security Bulletin patch level 2026-06-01 or later, which addresses this issue in PackageInstallerService - see https://source.android.com/docs/security/bulletin/2026/2026-06-01 for the bulletin and OEM-specific patch references. Patch available per vendor advisory; an exact fix version string for 16-qpr2 is not independently confirmed in the provided data, so device owners should consult their OEM's June 2026 security patch level. Until patched, restrict installation of untrusted third-party apps (disable 'Install unknown apps' for all sources), enforce Play Protect, and on managed fleets use MDM policies to block sideloading and require minimum security patch level - note these controls reduce but do not eliminate risk, since a malicious app delivered through any channel could trigger the flaw.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33801
GHSA-qm8c-qr7p-cv43