Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Description states local DoS by an unprivileged app with no user interaction; only availability is affected, so AV:L, PR:L, C:N, I:N, A:H.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
2DescriptionCVE.org
In multiple places, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Persistent denial of service in Google Android allows local attackers to exhaust device resources in multiple code paths, rendering functionality unavailable until manual intervention. The flaw requires no privileges and no user interaction, and is addressed in the Android Security Bulletin for android-17. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to run code on the device (local execution context such as an installed app or ADB session) - the description states 'local denial of service' and 'no additional execution privileges needed,' so a standard, unprivileged app with no special permissions is sufficient and no user interaction is required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are sharply conflicting and must be reconciled before treating this as a P0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A locally installed, unprivileged application repeatedly invokes the vulnerable code paths to consume a finite system resource that is not reclaimed, causing the device or a core service to become unusable and to remain unusable across user sessions or reboots until manual remediation. No user interaction is required beyond the attacker app being present on the device, and no public exploit identified at time of analysis. |
| Remediation | Apply the security patch level corresponding to the android-17 Android Security Bulletin published at https://source.android.com/docs/security/bulletin/android-17 (patch available per vendor advisory; exact fix build/patch level should be confirmed against the bulletin for the specific device). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and prioritize Android devices by business criticality; alert users and device administrators of the vulnerability and physical access risks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37565