CVE-2026-0068
EUVD-2026-3756117.06.2026, 13:19
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| android | 17.0 |
𝑥
= Vulnerable software versions