CVE 10 CRITICAL

CVE-2026-0068_CVE-2026-0068

June 17, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

AI Analysis

Local escalation of privilege vulnerability in Android due to desync from persistence, allowing removal of DPC app without DO consent

Basic Information

ID CVE-2026-0068

Source google_android

Published Jun 17, 2026 at 06:49

Affected Product

Vendor Google

Product Android

Version 17

Affected Versions Google Android 17

AI Assessment

AI Score 10 / 10

AI Severity CRITICAL

Vendor Google

Product Android

Version 17

References

source.android.com /docs/security/bulletin/android-17

{
    "lastseen": "",
    "description": "In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.",
    "published": "2026-06-17T06:49:10.184Z",
    "modified": "2026-06-17T06:49:10.184Z",
    "type": "cve",
    "title": "CVE-2026-0068",
    "source": "google_android",
    "references": "https://source.android.com/docs/security/bulletin/android-17",
    "id": "CVE-2026-0068",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Google Android 17",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Android",
    "version": "17",
    "vendor": "Google",
    "ai_description": "Local escalation of privilege vulnerability in Android due to desync from persistence, allowing removal of DPC app without DO consent",
    "ai_severity": "CRITICAL",
    "ai_vendor": "Google",
    "ai_product": "Android",
    "ai_version": "17",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply