CVE-2026-0068
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In the createSessionInternal method of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed.
Risk Assessment
The organization may be exposed to local escalation of privilege, which could lead to unauthorized access to system resources. User interaction is needed for exploitation.
Recommendation
It is recommended to monitor app installations and implement additional security measures to limit the possibility of installing malicious software. Consider updating the system to patch this vulnerability.
Original NVD description (English source)
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

