Skip to main content

Android Package Manager CVE-2026-0092

| EUVDEUVD-2026-37564 CRITICAL
Missing Authorization (CWE-862)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.8 HIGH

Description states local privilege escalation requiring an installed app, so AV:L and PR:L; no user interaction; full compromise of device-lock-controller-protected resources gives C/I/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:25 vuln.today
CVE Published
Jun 17, 2026 - 06:57 cve.org
CRITICAL 10.0

DescriptionCVE.org

In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local privilege escalation in Google Android's Package Manager allows on-device attackers to bypass the device lock controller due to a missing permission check, with no user interaction required. The flaw, disclosed in the Android Security Bulletin for Android 17, carries a vendor CVSS 4.0 score of 10.0 but is described as a local escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Install malicious app on Android 17 device
Delivery
Invoke unguarded Package Manager API
Exploit
Bypass device lock controller permission check
Execution
Gain device-lock-controller-equivalent privilege
Impact
Disable or alter device management policy

Vulnerability AssessmentAI

Exploitation Attacker must already have local code execution on the Android 17 device as an unprivileged app (any installed APK suffices - no special signature or permission grants required, per 'no additional execution privileges needed'); no user interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with high impact on both vulnerable and subsequent systems) yields a 10.0 score, but this conflicts sharply with the description, which clearly states 'local escalation of privilege' - an AV:L scenario. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious application installed on an Android 17 device - for example a financed handset under a carrier device-lock program - invokes the unprotected Package Manager API path and bypasses the device-lock-controller restriction without prompting the user, allowing the device to be used outside its policy envelope or escalating privileges available to the malicious app. No POC is currently public, so realistic exploitation depends on a threat actor developing the trigger from the patch diff.
Remediation Apply the Android security patch level published in the Android 17 bulletin (https://source.android.com/docs/security/bulletin/android-17) - patch available per vendor advisory; exact SPL string should be read from that bulletin and pushed through OEM/carrier OTA channels. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all Android 17 devices in corporate inventory, BYOD programs, and managed device environments to identify exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-0092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy