Skip to main content

Google Android EUVDEUVD-2026-33812

| CVE-2026-28578 MEDIUM
Improper Input Validation (CWE-20)
2026-06-01 google_android GHSA-29gf-hgr6-3gvc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:35 vuln.today
CVSS changed
Jun 01, 2026 - 23:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In multiple functions of DevicePolicyManagerService.java, there is a possible desync from persistence due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Local denial of service in Google Android's DevicePolicyManagerService affects Android 14, 15, 16, and 16-qpr2 via improper input validation across multiple service functions. A local attacker with basic user-level privileges can trigger a desynchronization between in-memory and persisted device policy state without requiring user interaction, resulting in high availability impact to the device policy management subsystem. No public exploit has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable impact.

Technical ContextAI

DevicePolicyManagerService is a core Android system service responsible for enforcing Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) policies across device-wide settings. The vulnerability is rooted in CWE-20 (Improper Input Validation) across multiple functions within DevicePolicyManagerService.java. When the service receives malformed or unexpected input, it fails to validate it properly, causing a desynchronization between the in-memory policy state and the persisted on-disk state. This desync can leave the device policy manager in an inconsistent or non-functional state, effectively denying service to the Android device policy subsystem. Affected products per CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* span Android 14, 15, 16, and 16-qpr2 as confirmed by ENISA EUVD-2026-33812.

RemediationAI

Apply the patches published in the Android Security Bulletin dated 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. No exact patched version number beyond the bulletin date is independently confirmed in the available data. OEM and carrier-distributed devices should receive corresponding monthly security patches - verify that the device security patch level reflects June 1, 2026 or later. As a compensating control where patching is delayed, restricting installation of untrusted local applications reduces the pool of potential triggers, though this does not eliminate exploitation by already-present local accounts. Restricting MDM enrollment interactions on unmanaged or BYOD devices may also reduce exposure surface, but this trade-off impacts enterprise management functionality.

Share

EUVD-2026-33812 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy