HIGH 7.8

CVE-2026-0078: Android Privilege Escalation via DevicePolicyManagerService Desync

A flaw in Android's device policy management system allows a local user to escalate their privileges by exploiting improper validation of proxy configuration settings. The vulnerability exists in how the system persists global proxy changes, creating a state mismatch that can be leveraged without requiring special permissions or user interaction. An attacker with basic local access can trigger the flaw to gain elevated system privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20
Affected products
6 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

In setGlobalProxy of DevicePolicyManagerService.java, there is a possible desync in persistence due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-0078 is a local privilege escalation vulnerability in the setGlobalProxy method of DevicePolicyManagerService.java. The root cause is insufficient input validation when processing global proxy configuration changes, leading to inconsistent persistence of proxy state. This desynchronization between the expected and actual proxy configuration can be exploited by an authenticated local user to bypass privilege checks and achieve privilege escalation. The vulnerability is classified as CWE-20 (Improper Input Validation).

Business impact

This vulnerability poses a significant internal threat to organizations deploying Android devices. Users with local access—including employees, contractors, or potentially compromised accounts—can elevate their privileges to access sensitive device data, modify system settings, install malicious applications, or move laterally within organizational networks. Device management controls that rely on proper privilege separation are circumvented, undermining mobile device management (MDM) enforcement and compliance postures. Organizations should prioritize assessment and remediation to maintain the integrity of their Android deployments.

Affected systems

Google Android systems running affected versions are vulnerable. The vulnerability impacts the core device policy framework, meaning any Android device without a patched build of the affected component is at risk. Organizations should consult Google's official Android Security & Privacy Year in Review and platform release notes to determine which specific Android versions and patch levels contain the fix. All supported Android versions should be reviewed for applicability.

Exploitability

Exploitation requires local access to the affected device; network-based attacks are not possible. The attacker must be an authenticated user on the system (or gain such access through other means). No additional execution privileges are required—a standard user account is sufficient. No user interaction or code execution from other processes is needed, making it straightforward for a determined insider or compromised account to trigger the flaw. The low complexity of exploitation and lack of privilege requirements elevate the practical risk.

Remediation

Organizations must apply the security patch released by Google for CVE-2026-0078. The fix addresses the input validation deficiency in setGlobalProxy and restores proper state synchronization. Verify the specific patch version against Google's official Android security advisory. Organizations should establish a timeline for deploying patches to all Android devices in their fleet, prioritizing managed devices and those with sensitive access. Coordinate patching with your MDM solution and device management team to ensure systematic coverage.

Patch guidance

Contact Google's official Android security channels and your device manufacturer's security advisories for the specific patched Android version or security patch level. Patches are typically rolled out through monthly Android security updates. Devices managed via MDM should be updated through your management console; manually managed devices may require over-the-air (OTA) updates or manual flashing of the security patch. Verify successful patch installation by confirming the security patch date on affected devices matches or exceeds the publication date of the fix. Test patch deployment in a non-production environment first to ensure compatibility with organizational applications and workflows.

Detection guidance

Monitor for suspicious privilege escalation attempts on Android devices, particularly if they involve changes to proxy or device policy settings. Examine device logs and MDM telemetry for unexpected modifications to global proxy configurations, especially when made by users without administrative roles. Check for unauthorized changes to device policy settings or reports of unusual privilege elevation. EDR or MDM solutions may log proxy configuration changes; correlate these events with user activity to identify exploitation attempts. Consider deploying policy controls that restrict modifications to critical device settings and alert on any such changes.

Why prioritize this

This vulnerability scores 7.8 (HIGH) under CVSS 3.1 due to its high-impact confidentiality, integrity, and availability consequences at the system level, combined with low exploitation complexity and minimal privilege requirements. While local access is required, the lack of additional execution privileges and user interaction significantly increases risk in environments with shared or bring-your-own-device models. The vulnerability directly undermines device policy enforcement, a core security control for mobile-heavy organizations. Its not yet listed on CISA's KEV catalog, but the technical characteristics suggest near-term exploitation potential. Organizations managing large Android fleets or in regulated industries should patch promptly.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects: (1) Local attack vector—requires initial device access but no network; (2) Low attack complexity—straightforward to exploit once on the device; (3) Low privilege requirement—standard user is sufficient; (4) No user interaction—exploitation is automatic; (5) Unrestricted scope—impact extends to the entire device; (6) High confidentiality, integrity, and availability impact—attacker gains full system-level control over sensitive device functions. The combination of these factors places the vulnerability in the HIGH severity category, warranting urgent remediation in most environments.

Frequently asked questions

Does this vulnerability affect iOS or other mobile platforms?

No, CVE-2026-0078 is specific to Android and targets the Android DevicePolicyManagerService framework. iOS, Windows, and other platforms are not affected. However, organizations running mixed mobile fleets should ensure all Android devices are remediated.

Can this be exploited remotely over the network?

No, the vulnerability requires local access to the affected Android device. An attacker must already have authenticated user-level access or physical access to the device. Remote exploitation is not possible.

Will MDM solutions protect against exploitation of this vulnerability?

MDM solutions enforce device policies but do not prevent local privilege escalation within an already-compromised user session. Patching is essential. MDM can help detect unauthorized privilege escalation or policy changes, but the vulnerability itself must be fixed at the OS level.

What is the relationship between this vulnerability and device administrator privileges?

The vulnerability exists in the device policy management subsystem (DevicePolicyManagerService) but exploits a flaw in input validation that allows a standard user to escalate privilege. Possession of device administrator permissions is not required to trigger the flaw, making it more broadly exploitable than admin-only vulnerabilities.

This analysis is based on the official CVE-2026-0078 description and CVSS vector published as of June 2026. Specific patch versions, affected Android releases, and deployment guidance should be verified against Google's official Android Security Bulletin and your device manufacturer's advisories. No proof-of-concept or weaponized exploit is provided. Organizations are responsible for assessing their specific device inventory, testing patches in controlled environments, and coordinating deployment timelines. This document is for informational purposes and does not constitute official security guidance; consult with your CISO, security team, and vendors for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).