Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local co-resident unprivileged app triggers persistent DoS with no user interaction; no confidentiality or integrity impact per description, so AV:L, PR:N, A:H only.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Persistent local denial of service in Google Android (Wear OS) is possible due to a missing permission check declared in AndroidManifest.xml, allowing a co-resident unprivileged app to invoke a protected component and render device functionality unavailable. No user interaction or elevated privileges are required, but exploitation is local rather than remote despite the headline CVSS 4.0 score of 10.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to execute code locally on the Wear OS device as an unprivileged app - typically achieved by getting the victim to install a malicious watch app via Play Store, sideload, or paired-phone push. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | There is a clear conflict between the reported CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N with all impact metrics High including subsequent-system C/I/A) and the description, which states the issue is a 'local denial of service with no additional execution privileges needed.' The reported 10.0 score is almost certainly miscoded by the source: a missing-permission DoS in AndroidManifest cannot plausibly yield network-vector confidentiality and integrity compromise of a separate system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user installs a seemingly benign third-party Wear OS app from a sideloaded APK or paired-phone source; the app, with no special permissions, invokes the unprotected exported component and triggers a state change (e.g., crash-looping a system service or corrupting a persisted preference) that survives reboot, leaving the watch unusable until a factory reset. No public PoC has been identified at time of analysis. |
| Remediation | Patch available per vendor advisory: update affected Wear OS devices to security patch level 2026-06-01 or later as published in the Android Wear bulletin at https://source.android.com/docs/security/bulletin/wear/2026/2026-06-01, and apply the corresponding OEM firmware once released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Wear OS devices and third-party applications; identify non-approved sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37857
GHSA-vj42-43ch-3xp2