How is CVE-2026-0068 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to a remote service is required to trigger the vulnerability. Authentication (not-required): No account credentials or system privileges are required before exploitation begins; any process able to initiate a package installer session is sufficient. Victim interaction (required): A user must take an action, such as installing or approving a malicious app, for the exploit to proceed. Attack complexity (info): The exploit is reliable and condition-free once the malicious app is present; no race conditions or special environmental factors need to be arranged.

What is the impact of CVE-2026-0068?

Attacker removes the Device Policy Controller app from a managed Android 17 device, stripping enterprise management controls without administrator consent. With the DPC removed, the attacker gains elevated local privileges, bypassing device policy enforcement such as screen lock, encryption mandates, and app allowlists. All three pillars of the managed device are affected: confidential data stored under DPC-enforced policies becomes readable, device configuration becomes writable, and the management channel itself is severed, disrupting IT oversight. Compromise extends to resources accessible through the now-unmanaged device, including corporate credentials cached on the device and any network resources the device was authorized to reach.

Back to search

CRITICALCVE-2026-0068Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-0068: In createSessionInternal of PackageInstallerService

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a privilege escalation vulnerability in Android 17's PackageInstallerService, specifically in the createSessionInternal method. A desynchronization between runtime state and persisted state allows a malicious app to remove a Device Policy Controller (DPC) app from a managed device without the Device Owner's consent, then escalate privileges in the resulting unmanaged context. Successful exploitation gives an attacker elevated local privileges on the device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Google publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-derived container and system images. Any image carrying the affected Android 17 PackageInstallerService component is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 4.0 10.0 (Critical) and applies per-environment compliance policy weighting to route the finding to the appropriate team inbox within each customer organization. Environments with strict mobile or managed-device policies will surface this at the highest priority tier.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Google ships a patch. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically as soon as a fix version is recorded.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to a remote service is required to trigger the vulnerability.
AuthenticationNot required
No account credentials or system privileges are required before exploitation begins; any process able to initiate a package installer session is sufficient.
Victim interactionRequired
A user must take an action, such as installing or approving a malicious app, for the exploit to proceed.
Attack complexityDetail
The exploit is reliable and condition-free once the malicious app is present; no race conditions or special environmental factors need to be arranged.

Blast Radius

Attacker removes the Device Policy Controller app from a managed Android 17 device, stripping enterprise management controls without administrator consent.
With the DPC removed, the attacker gains elevated local privileges, bypassing device policy enforcement such as screen lock, encryption mandates, and app allowlists.
All three pillars of the managed device are affected: confidential data stored under DPC-enforced policies becomes readable, device configuration becomes writable, and the management channel itself is severed, disrupting IT oversight.
Compromise extends to resources accessible through the now-unmanaged device, including corporate credentials cached on the device and any network resources the device was authorized to reach.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against every customer registry and build pipeline that includes Android 17 system images or derived containers. Because Google has not yet published a fix version, no patched rebuild is available upstream, so HarborGuard re-evaluates the advisory on every ingest cycle and will initiate the rebuild-and-PR flow for customers with auto-remediation enabled the moment a fix is recorded. In the interim, recommended compensating controls include applying network-policy isolation to prevent sideloading vectors at the container or MDM layer, enabling egress filtering to block delivery of unsigned or unreviewed APKs into managed environments, and using feature-flag gating to restrict PackageInstaller session creation to explicitly allowlisted callers where the runtime environment supports it. All findings are routed through per-environment compliance policy weighting, so teams with managed-device or zero-trust policies will see this flagged at the highest priority tier.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified