Skip to main content

CVE-2026-0049

| EUVDEUVD-2026-19402 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-06 google_android GHSA-hxfh-7372-q4ff
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 19:00 euvd
EUVD-2026-19402
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
CVE Published
Apr 06, 2026 - 18:20 nvd
MEDIUM 6.2

DescriptionCVE.org

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Resource exhaustion in Android's LocalImageResolver.java onHeaderDecoded function allows local attackers to cause persistent denial of service without requiring special privileges or user interaction. The vulnerability affects Android 14, 15, and 16, with a CVSS score of 6.2 reflecting local attack vector and high availability impact. CISA SSVC assessment indicates no exploitation evidence detected at time of analysis, though the automatable attack vector and partial technical impact warrant prioritization for patching.

Technical ContextAI

The vulnerability resides in LocalImageResolver.java's onHeaderDecoded method within Google Android, a fundamental component responsible for processing image headers. CWE-400 (Uncontrolled Resource Consumption) indicates the root cause is improper validation or limiting of resource allocation during header parsing. When malicious or malformed image headers are processed, the method fails to properly constrain resource usage, leading to exhaustion of system resources (memory, CPU, or other local system resources). The attack operates at the local level on the device, exploiting the Android framework's image resolution logic without requiring elevated privileges.

RemediationAI

Apply the security patch released in the April 1, 2026 Android security bulletin available at https://source.android.com/security/bulletin/2026-04-01. Device owners should check for over-the-air (OTA) updates targeting their specific Android version and device model, as patches are typically rolled out incrementally by OEM. For Android 14, 15, and 16 devices, enable automatic system updates if not already configured. Enterprise administrators should validate patch deployment across managed devices via MDM platforms before considering the vulnerability remediated. Users unable to apply patches immediately should minimize installation of untrusted applications and avoid downloading image files from untrusted sources, though these are incomplete mitigations for a local vulnerability.

Share

CVE-2026-0049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy