CVE-2026-0089: In multiple functions of PackageInstallerService
In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Metrics
- CVSS v3.1
- 7.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a missing permission check vulnerability in Android's PackageInstallerService component, affecting Android 16-QPR2. An attacker with a low-privilege local account can exploit it without any user interaction, bypassing app verification to install unverified applications. Successful exploitation gives the attacker full local privilege escalation, gaining high-level read, write, and execution control over the affected device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Android-based container images in any registry or CI pipeline. Any image packaging or shipping affected Android 16-QPR2 components is flagged automatically.
AvailableHarborGuard scores this CVE at 7.8 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined severity thresholds.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google publishes a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the fix ships.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to trigger the vulnerability.
- AuthenticationRequired
Any low-privilege local account is sufficient; no administrative or elevated credentials are needed.
- Victim interactionNot required
The attacker can exploit this vulnerability entirely on their own without requiring any action from another user.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or specific environmental layout to succeed.
Blast Radius
- Installs arbitrary unverified applications onto the device, bypassing the platform's app verification controls.
- Gains full read access to sensitive data on the device, including files, credentials, and application data.
- Gains write and modify access to system state, persisted data, and application configurations.
- Achieves full local privilege escalation, enabling arbitrary code execution at an elevated privilege level.
How HarborGuard Handles This
Available on HarborGuard: this CVE is continuously monitored across every ingest cycle because no upstream patch exists yet. As a compensating control, customers can apply network-policy isolation to restrict lateral movement from any process that may be compromised via this vector, and use feature-flag or policy gating at the MDM or container orchestration level to block installation of unverified packages where the runtime environment supports it. HarborGuard will automatically make a patched-image rebuild available the moment Google publishes a fix version. For customers with auto-remediation enabled, that rebuild will be paired with a regression test run and a PR opened against affected workloads, with no manual triage step required.
- Google / Android16-qpr2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H