CVE-2026-0023
Published: 02 March 2026
Summary
CVE-2026-0023 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing permission check in createSessionInternal that allows improper ownership updates.
Employs least privilege to restrict access rights, mitigating local privilege escalation from low-privilege apps exploiting the PackageInstallerService vulnerability.
Requires identification, reporting, and correction of flaws like the missing permission check, enabling patching as specified in the Android security bulletin.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing permission check enables local privilege escalation on Android device, directly matching exploitation for privilege escalation.
NVD Description
In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not…
more
needed for exploitation.
Deeper analysisAI
CVE-2026-0023 is a vulnerability in the createSessionInternal method of PackageInstallerService.java within the Android platform. It stems from a missing permission check that allows an installed app to improperly update its ownership. This flaw enables local escalation of privilege without requiring additional execution privileges or user interaction, as classified under CWE-269 (Improper Privilege Management). The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A local attacker with low privileges, such as a malicious app running on the device, can exploit this issue with low complexity and no user interaction. Successful exploitation allows the attacker to escalate privileges, potentially gaining full control over the device by modifying app ownership through the PackageInstallerService.
The Android security bulletin published on March 1, 2026, at https://source.android.com/docs/security/bulletin/2026/2026-03-01 details patches addressing this vulnerability for affected Android versions. Security practitioners should consult the bulletin for specific patch levels and update recommendations.
Details
- CWE(s)