Skip to main content

Google Android CVE-2026-0069

| EUVDEUVD-2026-33788 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 google_android GHSA-qqc5-phf9-g9fv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:31 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In verifySignature of ApkChecksums.java, there is a possible way to cause a crash due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Resource exhaustion in Android 14's APK signature verification routine crashes the affected component, resulting in a local denial of service. The flaw resides in the verifySignature method of ApkChecksums.java, where uncontrolled resource consumption (CWE-400) can be triggered by a low-privileged local process with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The vulnerability is rooted in ApkChecksums.java, a component of Android's package manager or installer subsystem responsible for verifying APK file signatures during installation or validation. The CWE-400 (Uncontrolled Resource Consumption) root cause indicates the verifySignature method does not impose adequate limits on memory, CPU cycles, or I/O when processing potentially malicious or malformed APK checksum inputs, leading to resource exhaustion and a process crash. The affected product is identified via CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* with EUVD specifying Android 14 as the confirmed affected version. The CVSS vector AV:L/AC:L/PR:L/UI:N reflects that exploitation is straightforward once local access with standard app-level privileges is obtained.

RemediationAI

The primary remediation is to apply the security patch distributed via the Android Security Bulletin for 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers and carriers should integrate and distribute this patch as an OTA update for Android 14 devices. An exact patched version number is not independently confirmed from the available data - patch availability is confirmed per the vendor advisory but the specific build string should be verified against the bulletin. As a compensating control prior to patching, restricting the installation of untrusted third-party APKs (disabling 'Install unknown apps' in device settings) can reduce the attack surface, since the vulnerable code path is exercised during APK verification. Note that this control does not prevent exploitation by already-installed apps capable of triggering the code path programmatically.

Share

CVE-2026-0069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy