Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description states local privilege escalation requiring an installed app, so AV:L and PR:L; no user interaction; full compromise of device-lock-controller-protected resources gives C/I/A:H.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local privilege escalation in Google Android's Package Manager allows on-device attackers to bypass the device lock controller due to a missing permission check, with no user interaction required. The flaw, disclosed in the Android Security Bulletin for Android 17, carries a vendor CVSS 4.0 score of 10.0 but is described as a local escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already have local code execution on the Android 17 device as an unprivileged app (any installed APK suffices - no special signature or permission grants required, per 'no additional execution privileges needed'); no user interaction is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with high impact on both vulnerable and subsequent systems) yields a 10.0 score, but this conflicts sharply with the description, which clearly states 'local escalation of privilege' - an AV:L scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious application installed on an Android 17 device - for example a financed handset under a carrier device-lock program - invokes the unprotected Package Manager API path and bypasses the device-lock-controller restriction without prompting the user, allowing the device to be used outside its policy envelope or escalating privileges available to the malicious app. No POC is currently public, so realistic exploitation depends on a threat actor developing the trigger from the patch diff. |
| Remediation | Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - patch available per vendor advisory; exact SPL string should be read from that bulletin and pushed through OEM/carrier OTA channels. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all Android 17 devices in corporate inventory, BYOD programs, and managed device environments to identify exposure scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37564