Skip to main content

Google Android EUVDEUVD-2026-33790

| CVE-2026-0074 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 google_android GHSA-9f64-2cq8-48wf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 02, 2026 - 00:32 vuln.today
CVSS changed
Jun 02, 2026 - 00:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 01, 2026 - 21:14 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 21:14 nvd
MEDIUM 5.5

DescriptionCVE.org

In getPreferredSize of LauncherProcessImageListener.kt, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Resource exhaustion in Android's launcher image processing component allows a local low-privileged application to trigger a denial of service condition across Android 14 through 16. The flaw resides in the getPreferredSize method of LauncherProcessImageListener.kt, where uncontrolled resource consumption (CWE-400) can be induced without requiring elevated privileges or user interaction, resulting in high availability impact to the affected device. No public exploit code and no active exploitation have been identified at time of analysis; the CVSS score of 5.5 reflects the local-only attack surface and absence of confidentiality or integrity impact.

Technical ContextAI

The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption) within the Android launcher subsystem. Specifically, the getPreferredSize method in LauncherProcessImageListener.kt - a Kotlin-based component responsible for handling launcher process image sizing - fails to properly bound or throttle resource usage, enabling a caller to exhaust system resources. The affected CPE is cpe:2.3:a:google:android:*:*:*:*:*:*:*:*, spanning four major release trains (Android 14, 15, 16, and 16-qpr2) as confirmed by EUVD-2026-33790. The launcher process image listener is part of the Android application framework layer, meaning exploitation occurs within the app-to-system process boundary without requiring system-level privileges.

RemediationAI

Apply the security patches published in the Android Security Bulletin for June 2026, available at https://source.android.com/docs/security/bulletin/2026/2026-06-01. Users and OEMs should ensure devices are updated to a patch level of 2026-06-01 or later. No exact fixed build version beyond the bulletin patch level is independently confirmed from available data. For managed device fleets where OEM patches may lag, a compensating control is to restrict installation of untrusted or sideloaded applications via MDM policy, which removes the local execution prerequisite needed to trigger the vulnerability. This restriction has the trade-off of limiting user app flexibility but materially reduces the attack surface for this and similar local privilege-class vulnerabilities.

Share

EUVD-2026-33790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy