ASB-A-459461121 — Vulnetix

ASB-A-459461121 PUBLISHED

In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected Products

Vendor	Product	Versions
platform	frameworks/base	16-qpr2-next:0, 16-qpr2-next, 15:0

Timeline

Mar 1, 2026 CVE Published
May 15, 2026 CVE Updated

References

https://source.android.com/security/bulletin/2026-03-01 advisory
https://android.googlesource.com/platform/frameworks/base/+/09055276288a68cf35b0f84ba32e28822f74ecf9 patch

Open in Interactive Console →