CVE-2026-0055
MEDIUM WAF: High
CVSS 6.2
Published: 2026-06-01
CWE-22 CWE-269
In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Improper Privilege Management
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| android | 14.0 | |
| android | 15.0 | |
| android | 16.0 | |
| android | 16.0 | |
| android | 16.0 | |
| android | 16.0 |
References
- source.android.com (Vendor Advisory)