{"id":"ASB-A-460779368","details":"In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-460779368","CVE-2026-0055"],"modified":"2026-06-24T15:00:40.818157658Z","published":"2026-06-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2026-06-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/frameworks/base/+/62ec466efd801a253a1134011bf9c0e83f1bfb1d"}],"affected":[{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"17-next:0"},{"fixed":"17-next:2026-06-01"}]}],"versions":["17-next"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-460779368-0d2fa5b1","source":"https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["254972440605461210426826536669638236202","167893991033820611825204082068731878774","232125048972906336622550170191555660809","117029669476753100572255137914406469982"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}},{"id":"ASB-A-460779368-43fc027a","source":"https://android.googlesource.com/platform/frameworks/base/+/fe2d4eb0555ab2f1ea812d2b12e0a1548edea2e7","deprecated":false,"signature_version":"v1","digest":{"function_hash":"185727764426197639498552116118627145496","length":12548},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java","function":"createSessionInternal"}}],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-460779368.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"15:0"},{"fixed":"15:2026-06-01"}]}],"versions":["15"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043"],"types":["EoP"],"severity":"High","vanir_signatures":[{"id":"ASB-A-460779368-367e3097","source":"https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["254972440605461210426826536669638236202","167893991033820611825204082068731878774","232125048972906336622550170191555660809","117029669476753100572255137914406469982"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"},"signature_type":"Line"},{"id":"ASB-A-460779368-fbe22706","source":"https://android.googlesource.com/platform/frameworks/base/+/43f1b833e3521a506f55a608d971da3a06123043","deprecated":false,"signature_version":"v1","digest":{"function_hash":"114297757959919742379137534179002051566","length":11705},"target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java","function":"createSessionInternal"},"signature_type":"Function"}],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-460779368.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16:0"},{"fixed":"16:2026-06-01"}]}],"versions":["16"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178"],"types":["EoP"],"severity":"High","vanir_signatures":[{"id":"ASB-A-460779368-1fc2cb84","source":"https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178","deprecated":false,"signature_version":"v1","digest":{"function_hash":"23736031519892428315727038758685826115","length":11712},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java","function":"createSessionInternal"}},{"id":"ASB-A-460779368-46ccea7e","source":"https://android.googlesource.com/platform/frameworks/base/+/f10d91c07960e69b9d89f557a84e780c985d4178","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["254972440605461210426826536669638236202","167893991033820611825204082068731878774","232125048972906336622550170191555660809","117029669476753100572255137914406469982"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"},"signature_type":"Line"}],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-460779368.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"16-qpr2:0"},{"fixed":"16-qpr2:2026-06-01"}]}],"versions":["16-qpr2"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337"],"severity":"High","types":["EoP"],"vanir_signatures":[{"id":"ASB-A-460779368-04fbc21a","source":"https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["254972440605461210426826536669638236202","167893991033820611825204082068731878774","232125048972906336622550170191555660809","117029669476753100572255137914406469982"],"threshold":0.9},"target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"},"signature_type":"Line"},{"id":"ASB-A-460779368-537f9e9e","source":"https://android.googlesource.com/platform/frameworks/base/+/e8a25baeb30aaec64e80f1c7e55a44b1a93e9337","deprecated":false,"signature_version":"v1","digest":{"function_hash":"209062086188655214902542174846261069862","length":12630},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java","function":"createSessionInternal"}}],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-460779368.json"}},{"package":{"name":"platform/frameworks/base","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"14:0"},{"fixed":"14:2026-06-01"}]}],"versions":["14"],"ecosystem_specific":{"fixes":["https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e"],"types":["EoP"],"severity":"High","vanir_signatures":[{"id":"ASB-A-460779368-cf54648e","source":"https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e","deprecated":false,"signature_version":"v1","digest":{"line_hashes":["254972440605461210426826536669638236202","167893991033820611825204082068731878774","232125048972906336622550170191555660809","117029669476753100572255137914406469982"],"threshold":0.9},"signature_type":"Line","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java"}},{"id":"ASB-A-460779368-db7496e1","source":"https://android.googlesource.com/platform/frameworks/base/+/5dc8ec833691c2e2d61ea6ef90b7858c78a64e3e","deprecated":false,"signature_version":"v1","digest":{"function_hash":"91625058542454682175703424736644065853","length":10025},"signature_type":"Function","target":{"file":"services/core/java/com/android/server/pm/PackageInstallerService.java","function":"createSessionInternal"}}],"spl":"2026-06-01"},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-460779368.json"}}],"schema_version":"1.7.5"}