Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In getPreferredSize of LauncherProcessImageListener.kt, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Resource exhaustion in Android's launcher image processing component allows a local low-privileged application to trigger a denial of service condition across Android 14 through 16. The flaw resides in the getPreferredSize method of LauncherProcessImageListener.kt, where uncontrolled resource consumption (CWE-400) can be induced without requiring elevated privileges or user interaction, resulting in high availability impact to the affected device. No public exploit code and no active exploitation have been identified at time of analysis; the CVSS score of 5.5 reflects the local-only attack surface and absence of confidentiality or integrity impact.
Technical ContextAI
The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption) within the Android launcher subsystem. Specifically, the getPreferredSize method in LauncherProcessImageListener.kt - a Kotlin-based component responsible for handling launcher process image sizing - fails to properly bound or throttle resource usage, enabling a caller to exhaust system resources. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, spanning four major release trains (Android 14, 15, 16, and 16-qpr2) as confirmed by EUVD-2026-33790. The launcher process image listener is part of the Android application framework layer, meaning exploitation occurs within the app-to-system process boundary without requiring system-level privileges.
RemediationAI
Apply the security patches published in the Android Security Bulletin for June 2026, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Users and OEMs should ensure devices are updated to a patch level of 2026-06-01 or later. No exact fixed build version beyond the bulletin patch level is independently confirmed from available data. For managed device fleets where OEM patches may lag, a compensating control is to restrict installation of untrusted or sideloaded applications via MDM policy, which removes the local execution prerequisite needed to trigger the vulnerability. This restriction has the trade-off of limiting user app flexibility but materially reduces the attack surface for this and similar local privilege-class vulnerabilities.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33790
GHSA-9f64-2cq8-48wf