Vulnerability Details CVE-2026-0068
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 12.9%
CVSS Severity
CVSS v3 Score 7.8