Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In multiple functions of DevicePolicyManagerService.java, there is a possible desync from persistence due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Local denial of service in Google Android's DevicePolicyManagerService affects Android 14, 15, 16, and 16-qpr2 via improper input validation across multiple service functions. A local attacker with basic user-level privileges can trigger a desynchronization between in-memory and persisted device policy state without requiring user interaction, resulting in high availability impact to the device policy management subsystem. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable impact.
Technical ContextAI
DevicePolicyManagerService is a core Android system service responsible for enforcing Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) policies across device-wide settings. The vulnerability is rooted in CWE-20 (Improper Input Validation) across multiple functions within DevicePolicyManagerService.java. When the service receives malformed or unexpected input, it fails to validate it properly, causing a desynchronization between the in-memory policy state and the persisted on-disk state. This desync can leave the device policy manager in an inconsistent or non-functional state, effectively denying service to the Android device policy subsystem. Affected products per CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* span Android 14, 15, 16, and 16-qpr2 as confirmed by ENISA EUVD-2026-33812.
RemediationAI
Apply the patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. No exact patched version number beyond the bulletin date is independently confirmed in the available data. OEM and carrier-distributed devices should receive corresponding monthly security patches - verify that the device security patch level reflects June 1, 2026 or later. As a compensating control where patching is delayed, restricting installation of untrusted local applications reduces the pool of potential triggers, though this does not eliminate exploitation by already-present local accounts. Restricting MDM enrollment interactions on unmanaged or BYOD devices may also reduce exposure surface, but this trade-off impacts enterprise management functionality.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33812
GHSA-29gf-hgr6-3gvc