Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In isSameApp of NotificationManagerService.java, there is a possible persistent dos due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Persistent denial of service in Google Android's NotificationManagerService allows a local unprivileged application to exhaust system resources via the isSameApp method, rendering the device's notification subsystem - and potentially broader system stability - unavailable. Affected versions include Android 14, 15, and 16 as disclosed in the June 2026 Android Security Bulletin. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Technical ContextAI
The vulnerability resides in NotificationManagerService.java, a core Android system service (running in the system_server process) responsible for managing notification dispatch and routing across applications. The isSameApp method is used to compare package or application identity, likely to enforce per-app notification policies or deduplication. CWE-400 (Uncontrolled Resource Consumption) indicates that a local attacker can trigger a code path within isSameApp that allocates resources - such as memory, file descriptors, or thread handles - without adequate bounds or cleanup, leading to resource exhaustion. Because the DoS is described as 'persistent,' the impacted state survives individual request handling and may require a device reboot to restore normal operation. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers all Android variants across the affected version range.
RemediationAI
Apply the June 2026 Android Security Bulletin patches, available via OEM update channels for Android 14, 15, and 16 - the advisory is published at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device users should install the security patch level dated 2026-06-01 or later. Exact patched build numbers per OEM (Samsung, Pixel, etc.) depend on each vendor's update cadence and were not independently confirmed from the available input data. As a compensating control, enterprise MDM administrators can restrict sideloading and enforce application allowlisting to limit which applications can reach the vulnerable code path - this does not eliminate the vulnerability but reduces the attack surface by preventing untrusted apps from running on managed devices. Note that restricting app installation may impair legitimate business application use. No vendor-provided workaround short of patching is documented in the available references.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210015
GHSA-6795-9hw7-647f