Skip to main content
CVE Vulnerability Database

CVE-2026-0070: Google Android DoS Vulnerability

CVE-2026-0070 is a denial of service vulnerability in Google Android caused by improper input validation in DevicePolicyManagerService.java. Attackers can hide critical system packages locally. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0070 Overview

CVE-2026-0070 is an input validation vulnerability in Android's DevicePolicyManagerService.java component. Multiple functions in the service fail to properly validate input, allowing a local attacker to hide a system-critical package. The flaw results in a local denial of service (DoS) condition. No additional execution privileges are required, and user interaction is not needed for exploitation. Google disclosed the issue in the Android Security Bulletin June 2026. The vulnerability affects Android 14, 15, and 16, including 16 QPR2 Beta builds. It is tracked under CWE-20: Improper Input Validation.

Critical Impact

A local application can hide a system-critical package, causing a denial of service that degrades core Android functionality without requiring user interaction.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-06-01 - Google publishes fix in Android Security Bulletin June 2026
  • 2026-06-01 - CVE-2026-0070 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0070

Vulnerability Analysis

The vulnerability resides in DevicePolicyManagerService.java, the system service responsible for enforcing device administration policies on Android. Multiple functions within this service accept caller-supplied package identifiers without enforcing checks that prevent system-critical packages from being targeted. An attacker with local code execution on the device can invoke these functions to mark a critical package as hidden. Hiding a system-critical package disables associated platform functionality and produces a denial of service condition.

The weakness maps to CWE-20: Improper Input Validation. Exploitation does not require elevated execution privileges beyond what a standard local app already holds, and the attack runs without any user interaction.

Root Cause

The affected functions in DevicePolicyManagerService do not validate whether the supplied package belongs to the set of system-critical components before applying hide operations. The missing allow-list or deny-list check enables the parameter-controlled state change to propagate into the package management layer.

Attack Vector

The attack vector is local. A malicious or compromised application running on the device calls into the vulnerable Device Policy Manager interfaces with crafted package name arguments. Because the service accepts the input without verification, the call succeeds and the targeted package becomes hidden, triggering the denial of service on the affected component. No verified public proof-of-concept is available at this time.

No verified code examples are available. Refer to the Android Security Bulletin June 2026 for vendor-supplied technical details.

Detection Methods for CVE-2026-0070

Indicators of Compromise

  • Unexpected transitions of system or platform packages into a hidden state on a managed device.
  • Calls from non-privileged applications to DevicePolicyManager hide-related APIs targeting system packages.
  • Sudden loss of platform functionality (settings, launcher, system UI) following installation of a third-party application.

Detection Strategies

  • Monitor mobile device management (MDM) telemetry for anomalous Device Policy Manager state changes on enrolled Android endpoints.
  • Review Android logcat and audit logs for DevicePolicyManagerService invocations originating from non-system UIDs.
  • Correlate application install events with subsequent package visibility changes to identify suspect callers.

Monitoring Recommendations

  • Track Android build fingerprints across the fleet to confirm receipt of the June 2026 security patch level.
  • Alert on any non-system app requesting or holding device administration capabilities.
  • Baseline the inventory of visible system packages on managed devices and flag deviations.

How to Mitigate CVE-2026-0070

Immediate Actions Required

  • Apply the June 2026 Android security patch level on all affected Android 14, 15, and 16 devices as it becomes available from the device OEM.
  • Restrict installation of untrusted applications and enforce Google Play Protect on managed devices.
  • Audit applications that hold device administrator or device owner privileges and remove any that are not strictly required.

Patch Information

Google addressed CVE-2026-0070 in the Android Security Bulletin dated 2026-06-01. Devices reporting a security patch level of 2026-06-01 or later contain the fix. OEM rollouts vary, so confirm patch level under Settings > About phone > Android version on each device. See the Android Security Bulletin June 2026 for vendor guidance.

Workarounds

  • Limit application sideloading and require enterprise app vetting before deployment to managed Android devices.
  • Use an MDM policy to block applications that request BIND_DEVICE_ADMIN unless explicitly approved.
  • Remove or quarantine recently installed third-party apps on devices showing unexpected hidden-package behavior until patches are applied.
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.