Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In verifySignature of ApkChecksums.java, there is a possible way to cause a crash due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
AnalysisAI
Resource exhaustion in Android 14's APK signature verification routine crashes the affected component, resulting in a local denial of service. The flaw resides in the verifySignature method of ApkChecksums.java, where uncontrolled resource consumption (CWE-400) can be triggered by a low-privileged local process with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The vulnerability is rooted in ApkChecksums.java, a component of Android's package manager or installer subsystem responsible for verifying APK file signatures during installation or validation. The CWE-400 (Uncontrolled Resource Consumption) root cause indicates the verifySignature method does not impose adequate limits on memory, CPU cycles, or I/O when processing potentially malicious or malformed APK checksum inputs, leading to resource exhaustion and a process crash. The affected product is identified via CPE cpe:2.3:a:google:android:*:*:*:*:*:*:*:* with EUVD specifying Android 14 as the confirmed affected version. The CVSS vector AV:L/AC:L/PR:L/UI:N reflects that exploitation is straightforward once local access with standard app-level privileges is obtained.
RemediationAI
The primary remediation is to apply the security patch distributed via the Android Security Bulletin for 2026-06-01, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Device manufacturers and carriers should integrate and distribute this patch as an OTA update for Android 14 devices. An exact patched version number is not independently confirmed from the available data - patch availability is confirmed per the vendor advisory but the specific build string should be verified against the bulletin. As a compensating control prior to patching, restricting the installation of untrusted third-party APKs (disabling 'Install unknown apps' in device settings) can reduce the attack surface, since the vulnerable code path is exercised during APK verification. Note that this control does not prevent exploitation by already-installed apps capable of triggering the code path programmatically.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33788
GHSA-qqc5-phf9-g9fv