Skip to main content
CVE Vulnerability Database

CVE-2026-0055: Google Android Privilege Escalation Flaw

CVE-2026-0055 is a privilege escalation vulnerability in Google Android caused by a path traversal error in PackageInstallerService.java. Attackers can exploit this to gain elevated privileges locally without user interaction.

Published:

CVE-2026-0055 Overview

CVE-2026-0055 is a path traversal vulnerability [CWE-22] in the Android PackageInstallerService.java component. The flaw resides in the createSessionInternal function, which fails to properly validate directory paths during Device Policy Controller (DPC) update operations. An attacker with local access can exploit this weakness to update a DPC into an invalid directory.

Successful exploitation leads to local escalation of privilege without requiring additional execution privileges or user interaction. The vulnerability affects Google Android versions 14, 15, and 16, including several Android 16 QPR2 beta releases.

Critical Impact

Local privilege escalation through path traversal in the Android package installer, enabling DPC manipulation without user interaction.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, 2, and 3)

Discovery Timeline

  • 2026-06-01 - CVE-2026-0055 published to NVD and addressed in the Android Security Bulletin
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0055

Vulnerability Analysis

The vulnerability exists in the createSessionInternal method of PackageInstallerService.java, a core Android system service responsible for managing package installation sessions. The function processes path inputs without sufficient validation, allowing path traversal sequences to influence the destination directory used during a Device Policy Controller update.

Device Policy Controllers operate with elevated privileges on Android and govern enterprise management policies. By directing a DPC update into an attacker-controlled or invalid directory, a local actor can subvert package integrity expectations and gain access to privileged operations normally restricted to system-level components.

The flaw requires only local access. No user interaction is needed, and no additional execution privileges are required beyond what a local app context provides. Confidentiality is the primary impact, with privilege escalation enabling access to sensitive system resources.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The createSessionInternal routine accepts a path parameter and uses it during DPC update workflows without canonicalizing the input or rejecting traversal sequences such as ../. This allows the resolved path to escape the intended installation directory.

Attack Vector

A local application invokes the package installer session creation API with a crafted path containing traversal segments. The service then writes or stages the DPC update into a directory outside the expected sandbox. Once the update is processed, the attacker leverages the misplaced DPC artifact to escalate privileges within the local context.

See the Android Security Bulletin June 2026 for technical details on the affected component and patch references.

Detection Methods for CVE-2026-0055

Indicators of Compromise

  • Unexpected DPC package files staged in directories outside the standard /data/app/ or managed profile paths
  • Package installer session logs referencing paths containing ../ traversal sequences
  • Anomalous calls to PackageInstaller.Session APIs originating from non-system applications

Detection Strategies

  • Monitor logcat output from PackageInstallerService for session creation events with unusual path parameters
  • Inspect device administrator and DPC change events for installations not originating from approved enterprise mobility management sources
  • Correlate package installer activity with unexpected privilege changes on enrolled devices

Monitoring Recommendations

  • Enable enterprise mobile threat defense telemetry to capture DPC update events and package installation sessions
  • Audit Android Enterprise managed device fleets for unauthorized DPC replacement attempts
  • Track Android security patch level (ro.build.version.security_patch) across the fleet to verify remediation status

How to Mitigate CVE-2026-0055

Immediate Actions Required

  • Apply the June 2026 Android security patch level (2026-06-01 or later) to all affected devices
  • Prioritize patching for enterprise-managed devices running DPCs, as these are the direct exploitation target
  • Restrict sideloading on managed devices by enforcing installation only from trusted sources

Patch Information

Google addressed CVE-2026-0055 in the Android Security Bulletin June 2026. Device manufacturers must integrate the upstream fix and distribute updates to Android 14, 15, and 16 devices. Verify the security patch level under device settings to confirm remediation.

Workarounds

  • Limit installation of untrusted applications by disabling unknown source installation in device policies
  • Enforce Android Enterprise managed profiles to constrain which applications can invoke package installer APIs
  • Apply mobile device management policies that block non-approved DPC changes pending patch deployment

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.