{"id":"ASB-A-485397908", "published":"2026-06-01T00:00:00Z", "modified":"2026-06-09T15:27:06.151355248Z", "aliases":["CVE-2026-0089", "A-485397908"], "details":"In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.", "affected":[{"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"17-next:0"}, {"fixed":"17-next:2026-06-01"}]}], "versions":["17-next"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/1459299f9d3e5da1254a4653be4ac3defec20759", "https://android.googlesource.com/platform/frameworks/base/+/c15dea2dc3bb0ebeefeb59eb74290ac9fa918bf8"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"line_hashes":["330166218789680291236463804339907792904", "89836805987840057911045124514217951239", "307924992950146122806218937544796092419", "323795612996813352514202176353903647105"], "threshold":0.9}, "id":"ASB-A-485397908-473c76e7", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1459299f9d3e5da1254a4653be4ac3defec20759", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"225464131761428605308717304487472702782", "length":272}, "id":"ASB-A-485397908-6569ba0a", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1459299f9d3e5da1254a4653be4ac3defec20759", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"addDeveloperVerificationExperiment"}}, {"deprecated":false, "digest":{"line_hashes":["85902044632290977825896609861099242912", "169307118130944273199238675129969400062", "43590843909172523829684393952833802196", "38588230041011655999293184938380237262"], "threshold":0.9}, "id":"ASB-A-485397908-a1dc9608", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c15dea2dc3bb0ebeefeb59eb74290ac9fa918bf8", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"151439334323012505378427988522184196369", "length":86}, "id":"ASB-A-485397908-b70a672d", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/c15dea2dc3bb0ebeefeb59eb74290ac9fa918bf8", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"clearDeveloperVerificationExperiment"}}]}}, {"package":{"name":"platform/frameworks/base", "ecosystem":"Android"}, "ranges":[{"type":"ECOSYSTEM", "events":[{"introduced":"16-qpr2:0"}, {"fixed":"16-qpr2:2026-06-01"}]}], "versions":["16-qpr2"], "ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/3671a41bb57ffd2e8c0c267cdc0469bec05062b8", "https://android.googlesource.com/platform/frameworks/base/+/1f7c25b7e1f12a579b2815819257f9d86bf2e95d"], "severity":"High", "spl":"2026-06-01", "types":["EoP"], "vanir_signatures":[{"deprecated":false, "digest":{"function_hash":"151439334323012505378427988522184196369", "length":86}, "id":"ASB-A-485397908-3eae459b", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1f7c25b7e1f12a579b2815819257f9d86bf2e95d", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"clearDeveloperVerificationExperiment"}}, {"deprecated":false, "digest":{"line_hashes":["330166218789680291236463804339907792904", "89836805987840057911045124514217951239", "307924992950146122806218937544796092419", "323795612996813352514202176353903647105"], "threshold":0.9}, "id":"ASB-A-485397908-65c05e23", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3671a41bb57ffd2e8c0c267cdc0469bec05062b8", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}, {"deprecated":false, "digest":{"function_hash":"225464131761428605308717304487472702782", "length":272}, "id":"ASB-A-485397908-6b69d40c", "signature_type":"Function", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/3671a41bb57ffd2e8c0c267cdc0469bec05062b8", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java", "function":"addDeveloperVerificationExperiment"}}, {"deprecated":false, "digest":{"line_hashes":["85902044632290977825896609861099242912", "169307118130944273199238675129969400062", "43590843909172523829684393952833802196", "38588230041011655999293184938380237262"], "threshold":0.9}, "id":"ASB-A-485397908-e92aafee", "signature_type":"Line", "signature_version":"v1", "source":"https://android.googlesource.com/platform/frameworks/base/+/1f7c25b7e1f12a579b2815819257f9d86bf2e95d", "target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}}]}}], "references":[{"type":"ADVISORY", "url":"https://source.android.com/security/bulletin/2026-06-01"}]}