Skip to main content

Android Wear OS CVE-2026-28573

| EUVDEUVD-2026-37857 CRITICAL
Missing Authorization (CWE-862)
2026-06-18 google_android GHSA-vj42-43ch-3xp2
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.2 MEDIUM

Local co-resident unprivileged app triggers persistent DoS with no user interaction; no confidentiality or integrity impact per description, so AV:L, PR:N, A:H only.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:02 vuln.today
CVE Published
Jun 18, 2026 - 06:29 cve.org
CRITICAL 10.0

DescriptionCVE.org

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent local denial of service in Google Android (Wear OS) is possible due to a missing permission check declared in AndroidManifest.xml, allowing a co-resident unprivileged app to invoke a protected component and render device functionality unavailable. No user interaction or elevated privileges are required, but exploitation is local rather than remote despite the headline CVSS 4.0 score of 10.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker publishes malicious Wear OS app
Delivery
Victim installs app on watch
Exploit
App calls unprotected exported component
Execution
Missing permission check bypassed
Persist
Persistent state corruption or service crash
Impact
Device unusable until factory reset

Vulnerability AssessmentAI

Exploitation Requires the attacker to execute code locally on the Wear OS device as an unprivileged app - typically achieved by getting the victim to install a malicious watch app via Play Store, sideload, or paired-phone push. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment There is a clear conflict between the reported CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with all impact metrics High including subsequent-system C/I/A) and the description, which states the issue is a 'local denial of service with no additional execution privileges needed.' The reported 10.0 score is almost certainly miscoded by the source: a missing-permission DoS in AndroidManifest cannot plausibly yield network-vector confidentiality and integrity compromise of a separate system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user installs a seemingly benign third-party Wear OS app from a sideloaded APK or paired-phone source; the app, with no special permissions, invokes the unprotected exported component and triggers a state change (e.g., crash-looping a system service or corrupting a persisted preference) that survives reboot, leaving the watch unusable until a factory reset. No public PoC has been identified at time of analysis.
Remediation Patch available per vendor advisory: update affected Wear OS devices to security patch level 2026-06-01 or later as published in the Android Wear bulletin at https://source.android.com/docs/security/bulletin/wear/2026/2026-06-01, and apply the corresponding OEM firmware once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Wear OS devices and third-party applications; identify non-approved sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy