CVE-2026-28578: Android DevicePolicyManagerService Denial of Service Vulnerability
A flaw in Android's device policy management system allows a local attacker to cause the device to become unstable or unresponsive by exploiting improper input validation in DevicePolicyManagerService. An attacker with basic user-level access can trigger this issue without user interaction, potentially disrupting device functionality. This is a local denial-of-service vulnerability with no remote attack vector.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 6 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of DevicePolicyManagerService.java, there is a possible desync from persistence due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-28578 exists in multiple functions within DevicePolicyManagerService.java, where insufficient input validation permits a desynchronization between in-memory policy state and persistent storage. An attacker with local access and standard user privileges can craft malformed requests that cause the service to enter an inconsistent state, leading to availability impact. The vulnerability is classified under CWE-20 (Improper Input Validation) and requires no special permissions or user interaction to exploit.
Business impact
Device availability disruption affects user productivity and may trigger support escalation. For organizations managing fleets of Android devices via Mobile Device Management (MDM) policies, this vulnerability could be weaponized by a compromised or malicious local user account to render managed devices temporarily unavailable or force administrative intervention. The availability-only impact limits data theft risk, but operational continuity is at stake.
Affected systems
Google Android is affected. Specific version ranges have not been disclosed in public advisories; verify the Android security bulletin and device-specific patches to determine which releases require updates. Legacy and current-generation Android devices running vulnerable code paths are at risk.
Exploitability
Exploitation is straightforward from a technical perspective: the attacker needs only local code execution at the user privilege level, which is trivial to achieve on most Android devices. No additional execution privileges, authentication escalation, or user interaction are required. The attack surface is broad because any application or user session with standard permissions can trigger the flaw. However, the vulnerability is not known to be exploited in the wild (not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date).
Remediation
Install the security patch provided by Google in the Android security update corresponding to the June 2026 bulletin or later. Patch availability varies by device manufacturer and carrier; check your device's system update settings or contact your device vendor for timeline specificity. Organizations operating MDM solutions should prioritize pushing updated builds to managed Android devices.
Patch guidance
Consult the official Google Android Security & Privacy Year in Review or the monthly security bulletin released by Google for June 2026 and subsequent months to identify the specific Android version or security patch level (SPL) that addresses CVE-2026-28578. Verify patch applicability against your device model, carrier, and current Android build. Test patches in a controlled environment before fleet-wide deployment to ensure compatibility with organizational applications and policies.
Detection guidance
Monitor for repeated DevicePolicyManagerService crashes or state inconsistencies in system logs (logcat or equivalent). Look for error messages related to policy persistence desynchronization or unexpected exceptions in device_policy_manager processes. If MDM-managed, review management console alerts for policy enforcement failures or device health degradation coinciding with the attack window. Network-based detection is limited given the local-only nature; focus on endpoint logging and user privilege monitoring.
Why prioritize this
Although the CVSS score of 5.5 (Medium) reflects the availability-only impact and local attack requirement, organizations should prioritize patching based on device distribution and user-facing availability risk. Widespread Android deployments in BYOD environments warrant faster remediation than isolated or air-gapped use cases. The low barrier to exploitation—standard user privileges with no interaction required—makes this a relevant medium-term priority even if not an immediate critical incident.
Risk score, explained
The CVSS v3.1 score of 5.5 reflects: local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). The score accurately represents a denial-of-service threat that affects a single local user session without broader system compromise potential. Organizations with high availability requirements may weight this higher operationally than the base score suggests.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-28578 requires local code execution at the user privilege level. An attacker must already have a user account or local shell access on the device. Remote exploitation is not possible.
Does this vulnerability allow an attacker to steal personal data or bypass security policies?
No. The vulnerability causes denial of service and policy desynchronization, not data theft or authentication bypass. There is no confidentiality or integrity impact—only availability is affected.
Are all Android versions equally vulnerable?
The vulnerability exists in DevicePolicyManagerService.java, which is present across many Android versions, but specific affected versions depend on when the vulnerable code was introduced and when patches were released. Consult Google's official Android security bulletin to confirm your device's vulnerability status.
If my device is not yet patched, what can I do to mitigate the risk?
Limit user account provisioning and restrict local access to trusted users only. Implement application-level access controls via MDM policies if available. Monitor for unusual DevicePolicyManagerService behavior. Plan for prompt patching as soon as the security update becomes available for your device model.
This analysis is based on information available as of June 2026. Vulnerability details, patch timelines, and affected product versions may be updated by Google or device manufacturers. Always verify patch applicability and test in a controlled environment before production deployment. This document does not constitute legal or compliance advice; consult your organization's security and legal teams for risk assessment specific to your environment. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance and disclaims liability for outcomes of patch deployment or remediation decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10938MEDIUMChrome Site Isolation Bypass via Input Validation Flaw