Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In updateState of GraphicsDriverEnableAngleAsSystemDriverController.java, there is a possible persistent dos issue due to an unusual root cause. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Persistent local denial of service in Google Android affects the ANGLE graphics driver state management component across Android 14, 15, 16, and 16-qpr2. A low-privileged local process can trigger a persistent DoS condition via the updateState method in GraphicsDriverEnableAngleAsSystemDriverController.java without requiring any user interaction, potentially rendering the device unusable until rebooted. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog.
Technical ContextAI
The vulnerability exists in GraphicsDriverEnableAngleAsSystemDriverController.java, specifically in the updateState method responsible for managing the system-level enablement state of ANGLE (Almost Native Graphics Layer Engine) as the system graphics driver on Android. ANGLE is a cross-platform graphics abstraction layer that translates OpenGL ES API calls to platform-native graphics APIs (e.g., Vulkan, Metal, Direct3D). The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:* covering all architectures and variants of the affected release trains. The root cause is described as 'unusual' by Google and the CWE is listed as N/A, suggesting this is likely a logic flaw, state machine error, or unhandled edge case in the driver enablement lifecycle rather than a conventional memory safety vulnerability. The persistence of the DoS - implying it survives beyond the triggering process - points to a durable system-level state corruption or a crash loop in a privileged system service.
RemediationAI
Apply the Android Security Bulletin patch for June 2026 (2026-06-01), available through OEM device update channels and the Android Open Source Project. The bulletin is accessible at https://source.android.com/docs/security/bulletin/2026/2026-06-01. An exact patched version number was not independently confirmed from available input data - device administrators should verify patch level via Settings > About Phone > Android Security Patch Level, ensuring the device reflects the 2026-06-01 security patch level or later. For enterprise environments managing Android fleets via MDM (e.g., Android Enterprise, Microsoft Intune), enforce mandatory patch level compliance policies. As a compensating control where patching is not immediately feasible, restricting sideloading and app installation from unknown sources reduces exposure to untrusted low-privileged processes that could trigger the condition, though this does not eliminate risk from compromised legitimate apps.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33785
GHSA-7g73-7cr8-8qpw