Skip to main content

Android EUVDEUVD-2026-37561

| CVE-2026-0068 CRITICAL
Race Condition (CWE-362)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Local app install vector (AV:L), explicit user interaction required (UI:R), no prior privileges (PR:N); DPC removal crosses the management security authority so S:C with full C/I/A impact on the managed device.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:28 vuln.today
CVE Published
Jun 17, 2026 - 06:49 cve.org
CRITICAL 10.0

DescriptionCVE.org

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

AnalysisAI

Local privilege escalation in Android's PackageInstallerService allows a malicious app to remove a Device Policy Controller (DPC) from a managed device without Device Owner consent, breaking the enterprise management boundary. The flaw stems from a desynchronization between in-memory state and persisted state in createSessionInternal, and no public exploit has been identified at time of analysis. User interaction is required, but no additional execution privileges are needed beyond installing the malicious app.

Technical ContextAI

The vulnerability lives in PackageInstallerService.java, the core Android service that brokers all package install/uninstall sessions across Google Android (cpe:2.3:a:google:android). createSessionInternal is the entry point that constructs an InstallSession used by PackageInstaller clients. According to the description, the in-memory session state diverges from the on-disk persisted state ('desync from persistence'), which is a state-management / TOCTOU-class weakness (no specific CWE was published, but the behavior is consistent with CWE-367/CWE-372 race or stale-state checks). The practical consequence is that uninstall logic which should be gated by Device Owner (DO) approval can be applied to the DPC package itself, defeating the management model that Android Enterprise relies on.

RemediationAI

Patch available per vendor advisory - apply the Android security patch level published in the June 2026 Android Security Bulletin (https://source.android.com/docs/security/bulletin/android-17) once it is offered by your device OEM, and ensure managed-fleet devices are pinned to that or a later SPL via MDM compliance policy. As a compensating control before patching, restrict sideloading on managed devices by disabling 'Install unknown apps' for all sources via DevicePolicyManager and enforce Play Protect / managed Google Play as the sole install channel; the trade-off is reduced flexibility for users who legitimately install enterprise-signed APKs outside managed Play. Additionally, monitor MDM telemetry for unexpected DPC removal or 'device unmanaged' events, since exploitation manifests as the DPC silently disappearing from a previously enrolled device.

Share

EUVD-2026-37561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy