CVE-2026-0070: Android DevicePolicyManagerService Local Denial of Service Vulnerability
A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-0070 stems from inadequate input validation in multiple functions within DevicePolicyManagerService.java. An authenticated local process can exploit this to obscure system-critical packages from visibility and accessibility, triggering a high-impact availability disruption. The vulnerability is rooted in CWE-20 (Improper Input Validation), allowing an attacker with local access and low privilege level to craft malicious parameters that bypass filtering logic.
Business impact
For organizations deploying Android devices—whether corporate-owned or bring-your-own-device—this vulnerability creates an operational risk. Compromised devices could become unreliable or require manual intervention to recover, disrupting productivity and increasing support costs. The ability to hide critical system packages may also interfere with mobile device management (MDM) policies, compliance controls, and security monitoring that depend on package visibility and integrity.
Affected systems
Google Android is the affected platform. The vulnerability impacts multiple versions and variants of the Android operating system. Affected organizations should verify the specific Android versions and security patch level of their deployed devices against Google's official security bulletins.
Exploitability
Exploitation requires local access to the device but no elevated privileges—any authenticated local process or application can trigger the flaw. No user interaction is needed, meaning the attack can occur silently. The attack surface includes any installed application with basic system access or any local process running in the device context. The low barrier to exploitation (AC:L) combined with the local-only requirement (AV:L) makes this readily exploitable in environments where untrusted apps are installed or where multiple users share device access.
Remediation
Apply the latest Android security patches released by Google to address improper input validation in DevicePolicyManagerService. Verify patch availability for your specific Android version and device model, as update availability varies by manufacturer and carrier. Additionally, review and enforce application whitelisting policies to limit which apps can interact with device policy functions, reducing the attack surface.
Patch guidance
Check Google's Android Security & Privacy Year in Review and monthly security bulletins for the patch version and date corresponding to CVE-2026-0070. Patch deployment timelines vary by device manufacturer and mobile carrier; prioritize updating devices in high-risk environments (finance, healthcare, government) first. For managed devices, use MDM solutions to push updates and verify successful remediation. Document the patching baseline and track unpatched devices for risk assessment.
Detection guidance
Monitor application behavior for unusual attempts to access or manipulate device policy settings, particularly calls to DevicePolicyManagerService functions with unexpected or invalid parameters. Audit device logs for denial-of-service events linked to package visibility (e.g., critical services becoming unavailable or inaccessible). On managed devices, use MDM telemetry to verify that system-critical packages remain visible and functional. Implement network-level monitoring to detect sudden loss of device communication patterns that might indicate system instability caused by hidden packages.
Why prioritize this
Although rated MEDIUM severity, this vulnerability merits prioritized attention because it affects a foundational Android system service with no privilege escalation required and no user interaction needed. The denial-of-service impact can compromise device reliability and compliance posture. Organizations with large Android deployments or strict uptime requirements should treat this as higher priority than the CVSS score alone suggests.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector (AV:L), low complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and high availability impact (A:H). The scope is unchanged (S:U), meaning the impact is confined to the affected system. The score correctly penalizes the local-only nature of the attack but appropriately weights the severity of the denial-of-service impact and the ease of exploitation by low-privileged processes.
Frequently asked questions
Can this vulnerability allow an attacker to escalate privileges or access sensitive data?
No. CVE-2026-0070 is limited to hiding system packages and causing denial of service. There is no confidentiality or integrity impact; the attack cannot extract data or elevate privileges. However, hiding critical packages may indirectly prevent security controls from functioning, so it should not be dismissed as low-risk.
What is the difference between this and a traditional denial-of-service attack?
Traditional DoS attacks are often network-based or require overwhelming resources. This vulnerability achieves DoS through local manipulation of system package visibility, making the device unreliable or non-functional without flooding or crashing. It is stealthier and harder to detect via network monitoring alone.
If I have mobile device management (MDM) in place, am I protected?
MDM can help you detect and respond to compromised devices faster, and can enforce security policies and push patches. However, MDM does not prevent the exploit itself. You must apply the patch to close the vulnerability. MDM is a detection and remediation tool, not a prevention layer for this flaw.
Do I need to worry about this if my users cannot install untrusted apps?
Yes. While restricting app installation reduces the attack surface, any local process—including those from pre-installed system apps or enterprise applications—can potentially exploit this if they have local access. A defense-in-depth approach combining app controls, patching, and monitoring is recommended.
This analysis is based on the CVE record published on 2026-06-01 and modified on 2026-06-17. Security details, patch versions, and affected product versions should be verified against Google's official Android Security & Privacy bulletins and vendor advisories. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog. Organizations should conduct their own risk assessment based on their specific Android deployment, device models, and use cases. This intelligence is provided for informational purposes and does not constitute legal or professional advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10938MEDIUMChrome Site Isolation Bypass via Input Validation Flaw
- CVE-2026-10980MEDIUMChrome Same-Origin Policy Bypass in DevTools – Patch Guidance