Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Resource exhaustion in Android's LocalImageResolver.java onHeaderDecoded function allows local attackers to cause persistent denial of service without requiring special privileges or user interaction. The vulnerability affects Android 14, 15, and 16, with a CVSS score of 6.2 reflecting local attack vector and high availability impact. CISA SSVC assessment indicates no exploitation evidence detected at time of analysis, though the automatable attack vector and partial technical impact warrant prioritization for patching.
Technical ContextAI
The vulnerability resides in LocalImageResolver.java's onHeaderDecoded method within Google Android, a fundamental component responsible for processing image headers. CWE-400 (Uncontrolled Resource Consumption) indicates the root cause is improper validation or limiting of resource allocation during header parsing. When malicious or malformed image headers are processed, the method fails to properly constrain resource usage, leading to exhaustion of system resources (memory, CPU, or other local system resources). The attack operates at the local level on the device, exploiting the Android framework's image resolution logic without requiring elevated privileges.
RemediationAI
Apply the security patch released in the April 1, 2026 Android security bulletin available at https://source.android.com/security/bulletin/2026-04-01. Device owners should check for over-the-air (OTA) updates targeting their specific Android version and device model, as patches are typically rolled out incrementally by OEM. For Android 14, 15, and 16 devices, enable automatic system updates if not already configured. Enterprise administrators should validate patch deployment across managed devices via MDM platforms before considering the vulnerability remediated. Users unable to apply patches immediately should minimize installation of untrusted applications and avoid downloading image files from untrusted sources, though these are incomplete mitigations for a local vulnerability.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19402
GHSA-hxfh-7372-q4ff