CVE-2026-0023 · In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permis

01 · The Real Story

This is a bad valet key, not an unlocked front door

CVE-2026-0023 is an Android PackageInstallerService authorization flaw in createSessionInternal(). Public records tie it to Android 14, 15, 16, and 16-qpr2 before the March 2026 fixes; the bug lets an already-installed app abuse installer session state because a permission/flag check was missing or incomplete, resulting in local elevation of privilege on that one device.

Google's HIGH 7.8 CVSS is technically fair in a lab because the impact on the compromised handset can be serious. In enterprise reality, though, this starts after the attacker already has code running on the device, has no network reachability, has no KEV or exploitation signal, and often runs into Managed Google Play, sideload restrictions, and Play Protect. That's why this drops to MEDIUM for a 10,000-device patch queue.

"This is a post-install Android local EoP bug, not a fleet-wide emergency."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land code on the handset

The attacker first needs an app executing on the target Android device. In practice that means a malicious app from a third-party source, a trojanized enterprise sideload, or a previously approved app gone bad. This CVE does not provide initial access by itself.

Conditions required:

Target is running affected Android 14/15/16 lineage
Attacker can get an app installed in the personal profile or work profile

Where this breaks in practice:

Managed Google Play allowlists and DISALLOW_INSTALL_UNKNOWN_SOURCES cut off a large chunk of enterprise exposure
Google Play Protect and mobile threat defense products can block or flag the delivery stage

Detection/coverage: Traditional network scanners will miss this entirely. Detection belongs in EMM/UEM inventory, Play Protect telemetry, app allowlisting, and MTD/EDR-for-mobile feeds.

STEP 02

Abuse the installer session API

The malicious app then calls the local package installer workflow and crafts PackageInstaller.SessionParams values to request installer-controlled behavior. Public Android API docs show update-ownership-related behavior is guarded by ENFORCE_UPDATE_OWNERSHIP, so the exploit path is to smuggle installer state through createSessionInternal() when the service should have stripped it.

Conditions required:

App can invoke local package install/session APIs
Device is unpatched before the March 2026 fix

Where this breaks in practice:

There is no public end-to-end PoC showing reliable exploitation across OEM builds
The exact exploit primitive is muddied by public metadata: the CVE text mentions update ownership, while the linked AOSP bug fix also hardens installer-managed flags

Detection/coverage: Static code review and patch diffing show the bug class; runtime detection is weaker unless you log unusual package installer session creation and follow-on package state changes.

STEP 03

Bypass the missing check in createSessionInternal()

On affected builds, PackageInstallerService fails to fully reject or sanitize certain privileged installer flags during session creation. AOSP's March 2026 fixes explicitly clear privileged install flags and preserve the permission gate around update ownership, closing the trust boundary the app was crossing.

Conditions required:

Affected framework build from Android 14/15/16/16-qpr2
Attack reaches PackageInstallerService locally

Where this breaks in practice:

This is framework logic, so behavior can vary with OEM backports and monthly patch cadence
Exploit reliability is likely branch-specific because AOSP lists different fix commits per release train

Detection/coverage: Good SBOM/SPL hygiene can identify exposure. Generic CVE scanners often only know the OS version, not whether the OEM has backported the exact framework fix.

STEP 04

Convert installer trust into local privilege gain

With the unauthorized installer state accepted, the malicious app can manipulate package-install/update trust in a way that elevates what it can do on that device. The blast radius is the handset or work profile already hosting the app; this is not a wormable or remotely triggerable enterprise-wide event.

Conditions required:

Attacker app remains resident on the device
Follow-on package operations succeed under the abused installer state

Where this breaks in practice:

SELinux, app sandboxing, work-profile isolation, and enterprise install controls limit what the attacker can turn this into
No confirmed in-the-wild campaign or KEV listing suggests low operational maturity by attackers so far

Detection/coverage: Look for anomalous package installer sessions, unexpected app update ownership changes, and suspicious package update attempts originating from non-approved installers.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found. Google's March 2026 bulletin only calls out a different CVE (`CVE-2026-21385`) as seeing limited targeted exploitation, not this one.
PoC availability	No public weaponized PoC located in open web/GitHub search results. The public AOSP fix diff exists, which lowers reverse-engineering cost, but that's not the same as a turnkey exploit.
EPSS	`0.00003` from the user-supplied intel; secondary enrichment sources place it around the bottom tenth percentile. Translation: exploit interest is currently negligible.
KEV status	Not in CISA KEV as checked on 2026-05-30 against the KEV catalog.
CVSS vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` — the important part is `AV:L` + `PR:L`. An attacker already needs code execution on the device.
Affected versions	Android bulletin and OSV map this to Android 14, 15, 16, and 16-qpr2 / corresponding `platform/frameworks/base` branches before the March 2026 fix train.
Fixed versions	Google says security patch level `2026-03-05` or later addresses all issues in the March 2026 bulletin. OSV also lists branch-specific `frameworks/base` fixes for 14/15/16/16-qpr2.
Scanning / exposure data	No meaningful Shodan/Censys/FOFA angle. This is a local framework flaw inside package installation logic, so internet census tools won't show exposure. Reachable population is driven by installed-app execution, not open ports.
Disclosure timeline	Disclosed 2026-03-02 in the Android Security Bulletin; public AOSP commit metadata shows the fix was authored in late 2025-11 and merged into release branches ahead of bulletin publication.
Reporting / patch ownership	No public researcher credit is listed in the bulletin. The linked AOSP change is authored by Sanjana Sunil for bug A-459461121.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.3/10)

The decisive factor is attacker position: this bug is only useful after an attacker already has an app running on the device. That sharply narrows reachable population and turns a scary handset impact into a lower-priority enterprise patching event unless your mobile fleet tolerates sideloading or untrusted app distribution.

MEDIUM Severity downgrade from vendor HIGH to enterprise MEDIUM

HIGH Affected Android release trains and patch-level cutoff

MEDIUM Practical exploitability assessment given public ambiguity between CVE text and linked AOSP fix

Why this verdict

Starts post-compromise: AV:L and PR:L mean the attacker already has an installed app executing on the handset before this CVE matters.
Exposure population is narrow: enterprise Android fleets using Managed Google Play, app allowlists, and unknown-source restrictions materially reduce the number of devices where step 1 is realistic.
No active exploitation signal: no KEV, no public campaign attribution, and an extremely low EPSS keep downward pressure on urgency.

Why not higher?

This is not remotely reachable, not wormable, and not an edge-service bug that can be sprayed across your estate. Even if the per-device impact is severe, the prerequisite of local code execution means the attacker is already through your first line of defense.

Why not lower?

Once a malicious app is on an affected device, exploitation appears low-complexity and silent. For organizations with Android BYOD, permissive sideloading, or weak mobile app governance, this can still convert a modest foothold into a stronger one on the same handset.

05 · Compensating Control

What to do — in priority order.

Block unknown app sources — Use Android Enterprise controls such as DISALLOW_INSTALL_UNKNOWN_SOURCES and Google Play managed configuration to keep installs inside Managed Google Play. For a MEDIUM verdict there is no noisgate mitigation SLA, so do this in the next mobile policy cycle rather than as an emergency change.
Enforce app allowlisting — Restrict work-profile and fully managed devices to approved app catalogs only. This directly attacks the hardest prerequisite in the chain: getting attacker code onto the handset in the first place.
Watch for package-installer abuse — Turn on whatever MTD/UEM telemetry you have for suspicious installs, silent update attempts, or unexpected installer/package-owner changes. This won't prevent the bug, but it improves visibility on the only practical exploitation path.
Prioritize risky mobile cohorts — Focus first on BYOD, COPE, contractor, kiosk, and field devices that routinely receive third-party APKs or looser app controls. That's where the local-app prerequisite is most credible.

What doesn't work

Perimeter firewalls or WAFs do nothing here; there is no network-facing service to shield.
Routine external vulnerability scanning does nothing here; exposure is determined by handset patch level and app governance, not open ports.
Desktop EDR assumptions don't translate cleanly; if you don't have mobile telemetry, this bug can stay invisible after app installation.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation with adb installed and USB debugging or enterprise debugging access to the target Android device. Invoke it as ./check-cve-2026-0023.sh <serial> or omit the serial if only one device is attached; no root is required, but you need adb shell access.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-0023.sh
# Purpose: Determine likely exposure to CVE-2026-0023 using Android version + security patch level.
# Logic:
#   - Affected major versions: Android 14, 15, 16 / API 34, 35, 36
#   - Patched if security patch level >= 2026-03-05
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

SERIAL_ARG="${1:-}"
ADB=(adb)
if [[ -n "$SERIAL_ARG" ]]; then
  ADB+=( -s "$SERIAL_ARG" )
fi

need_cmd() {
  command -v "$1" >/dev/null 2>&1
}

if ! need_cmd adb; then
  echo "UNKNOWN: adb not found in PATH"
  exit 2
fi

if ! "${ADB[@]}" get-state >/dev/null 2>&1; then
  echo "UNKNOWN: no reachable adb device"
  exit 2
fi

getprop_safe() {
  local key="$1"
  "${ADB[@]}" shell getprop "$key" 2>/dev/null | tr -d '\r'
}

SDK="$(getprop_safe ro.build.version.sdk)"
RELEASE="$(getprop_safe ro.build.version.release)"
PATCH="$(getprop_safe ro.build.version.security_patch)"
FINGERPRINT="$(getprop_safe ro.build.fingerprint)"
MODEL="$(getprop_safe ro.product.model)"

if [[ -z "$SDK" || -z "$PATCH" ]]; then
  echo "UNKNOWN: unable to read required properties"
  echo "model=${MODEL:-unknown} release=${RELEASE:-unknown} sdk=${SDK:-unknown} patch=${PATCH:-unknown}"
  exit 2
fi

# Normalize patch string to YYYY-MM-DD and compare lexicographically.
PATCH_CUTOFF="2026-03-05"

echo "model=${MODEL:-unknown}"
echo "release=${RELEASE:-unknown}"
echo "sdk=${SDK:-unknown}"
echo "patch=${PATCH:-unknown}"
echo "fingerprint=${FINGERPRINT:-unknown}"

case "$SDK" in
  34|35|36)
    if [[ "$PATCH" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}$ ]]; then
      if [[ "$PATCH" < "$PATCH_CUTOFF" ]]; then
        echo "VULNERABLE"
        exit 1
      else
        echo "PATCHED"
        exit 0
      fi
    else
      echo "UNKNOWN: unexpected patch format"
      exit 2
    fi
    ;;
  ''|*[!0-9]*)
    echo "UNKNOWN: unexpected SDK value"
    exit 2
    ;;
  *)
    # Outside the affected Android major versions cited by bulletin/OSV.
    echo "PATCHED"
    exit 0
    ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, pull an MDM/UEM inventory of Android 14/15/16 devices and flag anything with security patch level earlier than 2026-03-05. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window under the noisgate remediation SLA, but also tighten sideloading and app-allowlist controls in the same mobile policy cycle because that kills the real prerequisite for abuse. If your fleet includes BYOD or contractor devices with weak app controls, handle those first even though this is not an immediate-hours patch event.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.