{"id":"ASB-A-460779368", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-24T15:00:40.818157658Z", "aliases":["CVE-2026-0055", "A-460779368"], "details":"In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254972440605461210426826536669638236202", "167893991033820611825204082068731878774", "232125048972906336622550170191555660809", "117029669476753100572255137914406469982"], "threshold":0.9}, "id":"ASB-A-460779368-0d2fa5b1", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"185727764426197639498552116118627145496", "length":12548}, "id":"ASB-A-460779368-43fc027a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"15:0"}, {"fixed":"15:2026-06-01"}]}], "versions":["15"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254972440605461210426826536669638236202", "167893991033820611825204082068731878774", "232125048972906336622550170191555660809", "117029669476753100572255137914406469982"], "threshold":0.9}, "id":"ASB-A-460779368-367e3097", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"114297757959919742379137534179002051566", "length":11705}, "id":"ASB-A-460779368-fbe22706", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16:0"}, {"fixed":"16:2026-06-01"}]}], "versions":["16"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"23736031519892428315727038758685826115", "length":11712}, "id":"ASB-A-460779368-1fc2cb84", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}, {"deprecated":false, "digest":{"line_hashes":["254972440605461210426826536669638236202", "167893991033820611825204082068731878774", "232125048972906336622550170191555660809", "117029669476753100572255137914406469982"], "threshold":0.9}, "id":"ASB-A-460779368-46ccea7e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254972440605461210426826536669638236202", "167893991033820611825204082068731878774", "232125048972906336622550170191555660809", "117029669476753100572255137914406469982"], "threshold":0.9}, "id":"ASB-A-460779368-04fbc21a", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"209062086188655214902542174846261069862", "length":12630}, "id":"ASB-A-460779368-537f9e9e", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"14:0"}, {"fixed":"14:2026-06-01"}]}], "versions":["14"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["254972440605461210426826536669638236202", "167893991033820611825204082068731878774", "232125048972906336622550170191555660809", "117029669476753100572255137914406469982"], "threshold":0.9}, "id":"ASB-A-460779368-cf54648e", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"91625058542454682175703424736644065853", "length":10025}, "id":"ASB-A-460779368-db7496e1", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"createSessionInternal"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}, {"type":"FIX", "url":"https://android.googlesource.com/platform/frameworks/base/+/62ec466efd801a253a1134011bf9c0e83f1bfb1d"}]}