CVE-2026-0055: Android Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-22, CWE-269
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0055 is a path traversal vulnerability (CWE-22) combined with improper privilege management (CWE-269) in the createSessionInternal method of PackageInstallerService.java. The flaw permits directory traversal during DPC installation, enabling an attacker to place policy controller code outside the intended installation path. This misconfiguration of access controls allows local privilege escalation without requiring special execution privileges or user interaction, making it exploitable by any local process on the device.
Business impact
This vulnerability poses a direct threat to device security posture across Android deployments. An attacker gaining local code execution—whether through a separate vulnerability or malicious app—could leverage this flaw to escalate to Device Policy Controller privileges, potentially gaining administrative control over device policies, encryption settings, and security configurations. For enterprise deployments relying on Android's MDM (Mobile Device Management) capabilities, this represents a critical chain-attack vector that could compromise both personal and corporate data.
Affected systems
The vulnerability affects Google Android across multiple versions. Organizations should verify affected version numbers against the Android security bulletin and the Android Security & Privacy Year in Review documentation. The flaw impacts all Android devices running vulnerable versions, particularly those deployed in enterprise environments where device policy controllers are actively used for mobile device management.
Exploitability
The vulnerability is locally exploitable with a CVSS score of 6.2 (Medium). The attack vector is local (AV:L), requires no special access control (AC:L), needs no privileges (PR:N), and requires no user interaction (UI:N). However, exploitation is constrained to attackers with pre-existing local code execution on the target device. While the vulnerability itself does not grant remote access, it significantly amplifies the impact of any prior local compromise by enabling privilege escalation to DPC-level control. This makes it a valuable secondary exploit for attackers who have already breached initial defenses.
Remediation
Affected organizations should prioritize applying security updates from Google when available. Since this vulnerability requires local code execution as a prerequisite, defense-in-depth strategies are essential: enforce strong app vetting policies, restrict sideloading, use runtime application self-protection (RASP) mechanisms, and deploy robust mobile threat defense solutions. Organizations should also review access logs for suspicious DPC modifications or unexpected device policy changes that might indicate exploitation attempts.
Patch guidance
Verify the availability of patches through the official Android Security & Privacy Bulletin. Apply updates to all affected Android versions as they become available from your device manufacturer or carrier. Given the medium severity rating, patch deployment should follow your standard patch management cycle, prioritized alongside any critical or high-severity updates released in the same cycle. Test patches in a controlled environment before widespread deployment, particularly if you operate Android devices in enterprise MDM scenarios.
Detection guidance
Monitor for suspicious filesystem writes in package installation directories, particularly attempts to write DPC-related code outside standard application sandboxes. Track installation attempts from unprivileged processes targeting policy controller paths. Examine device policy logs for unexpected policy controller installations or modifications. In Android enterprise environments, use MDM platforms to audit policy controller integrity and alert on unauthorized changes. Watch for patterns consistent with local privilege escalation probing, including repeated failed package installation attempts from non-system processes.
Why prioritize this
While rated MEDIUM in severity, this vulnerability deserves elevated priority in Android-heavy deployments due to its direct impact on device administrative control and the ease with which an attacker with local code execution can weaponize it. For organizations managing large Android fleets through MDM, the path to compromised device policies—and thus compromised security configurations—justifies treating this as a higher-priority patch when released. The lack of user interaction required for exploitation further reduces friction for attackers already inside the local attack surface.
Risk score, explained
The CVSS 3.1 score of 6.2 reflects a Medium severity driven by: (1) local-only attack vector limiting initial exposure, (2) no privilege requirements enabling any local process to attempt exploitation, (3) high confidentiality impact from potential access to sensitive device configurations, (4) no integrity or availability impact in the immediate vulnerability scope, and (5) unchanged security scope. The score would be significantly higher if remote exploitation were feasible. For enterprise risk scoring, consider applying organizational weights reflecting the prevalence of Android in your environment and the sensitivity of policies managed through DPC.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The vulnerability requires local code execution on the target device. An attacker must have pre-existing local access, such as through a separate vulnerability or a malicious app, before they can leverage this path traversal flaw. However, once local access is obtained, no additional privileges or user interaction are needed to escalate via this bug.
What is a Device Policy Controller (DPC) and why does compromising it matter?
A Device Policy Controller is a specialized application that enforces device management policies in Android environments, including encryption settings, password policies, app restrictions, and remote wiping capabilities. Compromising a DPC allows an attacker to modify or bypass these policies, potentially disabling security controls, accessing sensitive data, or preventing legitimate remote management actions by IT administrators.
Does Google Android's implementation of privilege separation limit the actual impact?
While Android's SELinux policies and process isolation do provide layered defense, the ability to install a malicious or modified DPC through directory traversal could allow an attacker to run code with the policy controller's elevated capabilities. The lack of sandbox enforcement during this specific installation step represents a gap in the expected privilege boundary.
Should we disable all Device Policy Controller usage until patches are available?
Disabling DPC entirely is not practical for enterprise deployments. Instead, focus on preventing initial local code execution through robust app vetting, restriction of sideloading, and endpoint detection capabilities. Apply patches promptly when released, and consider supplementary monitoring for DPC integrity in your MDM platform.
This analysis is based on vulnerability disclosures and CVSS data available as of the publication date. Specific affected Android versions, patch availability, and remediation timelines should be verified against the official Android Security & Privacy Bulletin and manufacturer advisories. This vulnerability requires pre-existing local code execution and should be evaluated as part of a complete threat model, not in isolation. Organizations are strongly advised to conduct testing in isolated environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0089HIGHAndroid PackageInstallerService Permission Check Bypass – Local Privilege Escalation
- CVE-2026-0091HIGHAndroid Launcher Privilege Escalation Vulnerability (CVSS 7.8)