AI description
CVE-2026-0023 is identified as a local privilege escalation vulnerability affecting the Google Android operating system. The flaw resides within the `createSessionInternal` method of `PackageInstallerService.java`, where a critical permission check is absent. This oversight allows an already installed application to modify its own package ownership without proper authorization. Exploitation of this vulnerability enables an attacker to gain elevated privileges on an affected Android device without requiring any user interaction or additional execution rights. Google released a patch for this issue in the March 2026 Android Security Bulletin, and it impacts Android versions 14.0, 15.0, and 16.0, including specific beta releases of Android 16.0. The vulnerability is categorized under CWE-269, which denotes improper privilege management.
- Description
- In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
- Source
- security@android.com
- NVD status
- Modified
- Products
- android
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-269
- Hype score
- Not currently trending
Andriod LPE CVE: CVE-2026-0023 PT ID: PT-2026-4703 Vendor: Google Product: Android CVSS: 7.8 Credits: n/a Description: In createSessionInternal of https://t.co/DcwJAR8EZm, there is a possible way for an app to update its ownership due to a missing permission check. This could
@ptdbugs
11 Jun 2026
1632 Impressions
3 Retweets
20 Likes
10 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2025-24132 2 - CVE-2026-20963 3 - CVE-2023-50428 4 - CVE-2026-0023 5 - CVE-2024-21320 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
21 Mar 2026
175 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*",
"matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*",
"matchCriteriaId": "FD695F32-4A73-4846-B1A1-04FF266E9C15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*",
"matchCriteriaId": "3DE9F018-8704-476B-8D59-F63F8486E231",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*",
"matchCriteriaId": "BE95A642-4330-4F65-B028-3BA597D30F32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]