Skip to main content

Google Android EUVDEUVD-2025-210015

| CVE-2025-48648 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 google_android GHSA-6795-9hw7-647f
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:22 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In isSameApp of NotificationManagerService.java, there is a possible persistent dos due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent denial of service in Google Android's NotificationManagerService allows a local unprivileged application to exhaust system resources via the isSameApp method, rendering the device's notification subsystem - and potentially broader system stability - unavailable. Affected versions include Android 14, 15, and 16 as disclosed in the June 2026 Android Security Bulletin. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Technical ContextAI

The vulnerability resides in NotificationManagerService.java, a core Android system service (running in the system_server process) responsible for managing notification dispatch and routing across applications. The isSameApp method is used to compare package or application identity, likely to enforce per-app notification policies or deduplication. CWE-400 (Uncontrolled Resource Consumption) indicates that a local attacker can trigger a code path within isSameApp that allocates resources - such as memory, file descriptors, or thread handles - without adequate bounds or cleanup, leading to resource exhaustion. Because the DoS is described as 'persistent,' the impacted state survives individual request handling and may require a device reboot to restore normal operation. The CPE string cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covers all Android variants across the affected version range.

RemediationAI

Apply the June 2026 Android Security Bulletin patches, available via OEM update channels for Android 14, 15, and 16 - the advisory is published at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device users should install the security patch level dated 2026-06-01 or later. Exact patched build numbers per OEM (Samsung, Pixel, etc.) depend on each vendor's update cadence and were not independently confirmed from the available input data. As a compensating control, enterprise MDM administrators can restrict sideloading and enforce application allowlisting to limit which applications can reach the vulnerable code path - this does not eliminate the vulnerability but reduces the attack surface by preventing untrusted apps from running on managed devices. Note that restricting app installation may impair legitimate business application use. No vendor-provided workaround short of patching is documented in the available references.

Share

EUVD-2025-210015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy