MEDIUM 5.5

CVE-2026-0070: Android DevicePolicyManagerService Local Denial of Service Vulnerability

A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-20
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0070 stems from inadequate input validation in multiple functions within DevicePolicyManagerService.java. An authenticated local process can exploit this to obscure system-critical packages from visibility and accessibility, triggering a high-impact availability disruption. The vulnerability is rooted in CWE-20 (Improper Input Validation), allowing an attacker with local access and low privilege level to craft malicious parameters that bypass filtering logic.

Business impact

For organizations deploying Android devices—whether corporate-owned or bring-your-own-device—this vulnerability creates an operational risk. Compromised devices could become unreliable or require manual intervention to recover, disrupting productivity and increasing support costs. The ability to hide critical system packages may also interfere with mobile device management (MDM) policies, compliance controls, and security monitoring that depend on package visibility and integrity.

Affected systems

Google Android is the affected platform. The vulnerability impacts multiple versions and variants of the Android operating system. Affected organizations should verify the specific Android versions and security patch level of their deployed devices against Google's official security bulletins.

Exploitability

Exploitation requires local access to the device but no elevated privileges—any authenticated local process or application can trigger the flaw. No user interaction is needed, meaning the attack can occur silently. The attack surface includes any installed application with basic system access or any local process running in the device context. The low barrier to exploitation (AC:L) combined with the local-only requirement (AV:L) makes this readily exploitable in environments where untrusted apps are installed or where multiple users share device access.

Remediation

Apply the latest Android security patches released by Google to address improper input validation in DevicePolicyManagerService. Verify patch availability for your specific Android version and device model, as update availability varies by manufacturer and carrier. Additionally, review and enforce application whitelisting policies to limit which apps can interact with device policy functions, reducing the attack surface.

Patch guidance

Check Google's Android Security & Privacy Year in Review and monthly security bulletins for the patch version and date corresponding to CVE-2026-0070. Patch deployment timelines vary by device manufacturer and mobile carrier; prioritize updating devices in high-risk environments (finance, healthcare, government) first. For managed devices, use MDM solutions to push updates and verify successful remediation. Document the patching baseline and track unpatched devices for risk assessment.

Detection guidance

Monitor application behavior for unusual attempts to access or manipulate device policy settings, particularly calls to DevicePolicyManagerService functions with unexpected or invalid parameters. Audit device logs for denial-of-service events linked to package visibility (e.g., critical services becoming unavailable or inaccessible). On managed devices, use MDM telemetry to verify that system-critical packages remain visible and functional. Implement network-level monitoring to detect sudden loss of device communication patterns that might indicate system instability caused by hidden packages.

Why prioritize this

Although rated MEDIUM severity, this vulnerability merits prioritized attention because it affects a foundational Android system service with no privilege escalation required and no user interaction needed. The denial-of-service impact can compromise device reliability and compliance posture. Organizations with large Android deployments or strict uptime requirements should treat this as higher priority than the CVSS score alone suggests.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector (AV:L), low complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and high availability impact (A:H). The scope is unchanged (S:U), meaning the impact is confined to the affected system. The score correctly penalizes the local-only nature of the attack but appropriately weights the severity of the denial-of-service impact and the ease of exploitation by low-privileged processes.

Frequently asked questions

Can this vulnerability allow an attacker to escalate privileges or access sensitive data?

No. CVE-2026-0070 is limited to hiding system packages and causing denial of service. There is no confidentiality or integrity impact; the attack cannot extract data or elevate privileges. However, hiding critical packages may indirectly prevent security controls from functioning, so it should not be dismissed as low-risk.

What is the difference between this and a traditional denial-of-service attack?

Traditional DoS attacks are often network-based or require overwhelming resources. This vulnerability achieves DoS through local manipulation of system package visibility, making the device unreliable or non-functional without flooding or crashing. It is stealthier and harder to detect via network monitoring alone.

If I have mobile device management (MDM) in place, am I protected?

MDM can help you detect and respond to compromised devices faster, and can enforce security policies and push patches. However, MDM does not prevent the exploit itself. You must apply the patch to close the vulnerability. MDM is a detection and remediation tool, not a prevention layer for this flaw.

Do I need to worry about this if my users cannot install untrusted apps?

Yes. While restricting app installation reduces the attack surface, any local process—including those from pre-installed system apps or enterprise applications—can potentially exploit this if they have local access. A defense-in-depth approach combining app controls, patching, and monitoring is recommended.

This analysis is based on the CVE record published on 2026-06-01 and modified on 2026-06-17. Security details, patch versions, and affected product versions should be verified against Google's official Android Security & Privacy bulletins and vendor advisories. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities catalog. Organizations should conduct their own risk assessment based on their specific Android deployment, device models, and use cases. This intelligence is provided for informational purposes and does not constitute legal or professional advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).