CVE Catalog

CVE-2026-0068

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In the createSessionInternal method of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed.

Risk Assessment

The organization may be exposed to local escalation of privilege, which could lead to unauthorized access to system resources. User interaction is needed for exploitation.

Recommendation

It is recommended to monitor app installations and implement additional security measures to limit the possibility of installing malicious software. Consider updating the system to patch this vulnerability.

Original NVD description (English source)

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS