CVE-2025-26418
CarDevicePolicyService Missing Permission Check Leads to Local Privilege Escalation
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the setUserDisclaimerAcknowledged method of the CarDevicePolicyService.java component. It allows an attacker to bypass the user dialog that normally appears when adding an account to a managed device. The root cause is a missing permission check, which means the system does not properly verify if the action is authorized.
Because of this flaw, an attacker can escalate their privileges locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
This vulnerability can lead to local escalation of privilege on a managed device. An attacker could add accounts or perform actions that normally require user consent or higher privileges without triggering the expected user dialog or permission checks.
Since no user interaction or additional execution privileges are needed, it increases the risk of unauthorized access or control over device management features.