CVE-2026-0055 Overview
CVE-2026-0055 is a path traversal vulnerability [CWE-22] in the Android PackageInstallerService.java component. The flaw resides in the createSessionInternal function, which fails to properly validate directory paths during Device Policy Controller (DPC) update operations. An attacker with local access can exploit this weakness to update a DPC into an invalid directory.
Successful exploitation leads to local escalation of privilege without requiring additional execution privileges or user interaction. The vulnerability affects Google Android versions 14, 15, and 16, including several Android 16 QPR2 beta releases.
Critical Impact
Local privilege escalation through path traversal in the Android package installer, enabling DPC manipulation without user interaction.
Affected Products
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0 (including QPR2 Beta 1, 2, and 3)
Discovery Timeline
- 2026-06-01 - CVE-2026-0055 published to NVD and addressed in the Android Security Bulletin
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-0055
Vulnerability Analysis
The vulnerability exists in the createSessionInternal method of PackageInstallerService.java, a core Android system service responsible for managing package installation sessions. The function processes path inputs without sufficient validation, allowing path traversal sequences to influence the destination directory used during a Device Policy Controller update.
Device Policy Controllers operate with elevated privileges on Android and govern enterprise management policies. By directing a DPC update into an attacker-controlled or invalid directory, a local actor can subvert package integrity expectations and gain access to privileged operations normally restricted to system-level components.
The flaw requires only local access. No user interaction is needed, and no additional execution privileges are required beyond what a local app context provides. Confidentiality is the primary impact, with privilege escalation enabling access to sensitive system resources.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The createSessionInternal routine accepts a path parameter and uses it during DPC update workflows without canonicalizing the input or rejecting traversal sequences such as ../. This allows the resolved path to escape the intended installation directory.
Attack Vector
A local application invokes the package installer session creation API with a crafted path containing traversal segments. The service then writes or stages the DPC update into a directory outside the expected sandbox. Once the update is processed, the attacker leverages the misplaced DPC artifact to escalate privileges within the local context.
See the Android Security Bulletin June 2026 for technical details on the affected component and patch references.
Detection Methods for CVE-2026-0055
Indicators of Compromise
- Unexpected DPC package files staged in directories outside the standard /data/app/ or managed profile paths
- Package installer session logs referencing paths containing ../ traversal sequences
- Anomalous calls to PackageInstaller.Session APIs originating from non-system applications
Detection Strategies
- Monitor logcat output from PackageInstallerService for session creation events with unusual path parameters
- Inspect device administrator and DPC change events for installations not originating from approved enterprise mobility management sources
- Correlate package installer activity with unexpected privilege changes on enrolled devices
Monitoring Recommendations
- Enable enterprise mobile threat defense telemetry to capture DPC update events and package installation sessions
- Audit Android Enterprise managed device fleets for unauthorized DPC replacement attempts
- Track Android security patch level (ro.build.version.security_patch) across the fleet to verify remediation status
How to Mitigate CVE-2026-0055
Immediate Actions Required
- Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected devices
- Prioritize patching for enterprise-managed devices running DPCs, as these are the direct exploitation target
- Restrict sideloading on managed devices by enforcing installation only from trusted sources
Patch Information
Google addressed CVE-2026-0055 in the Android Security Bulletin June 2026. Device manufacturers must integrate the upstream fix and distribute updates to Android 14, 15, and 16 devices. Verify the security patch level under device settings to confirm remediation.
Workarounds
- Limit installation of untrusted applications by disabling unknown source installation in device policies
- Enforce Android Enterprise managed profiles to constrain which applications can invoke package installer APIs
- Apply mobile device management policies that block non-approved DPC changes pending patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

