Skip to main content

Google Android EUVDEUVD-2026-37565

| CVE-2026-0064 CRITICAL
Uncontrolled Resource Consumption (CWE-400)
2026-06-17 google_android
10.0
CVSS 4.0 · Vendor: google_android
Share

Severity by source

Vendor (google_android) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
vuln.today AI
5.5 MEDIUM

Description states local DoS by an unprivileged app with no user interaction; only availability is affected, so AV:L, PR:L, C:N, I:N, A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (google_android).

CVSS VectorVendor: google_android

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 08:29 vuln.today
CVE Published
Jun 17, 2026 - 06:59 cve.org
CRITICAL 10.0

DescriptionCVE.org

In multiple places, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

AnalysisAI

Persistent denial of service in Google Android allows local attackers to exhaust device resources in multiple code paths, rendering functionality unavailable until manual intervention. The flaw requires no privileges and no user interaction, and is addressed in the Android Security Bulletin for android-17. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker installs unprivileged app on Android device
Delivery
App invokes vulnerable code path repeatedly
Exploit
Resource leak accumulates without reclamation
Execution
Affected service or device becomes unresponsive
Impact
Persistent denial of service survives reboot

Vulnerability AssessmentAI

Exploitation The attacker must be able to run code on the device (local execution context such as an installed app or ADB session) - the description states 'local denial of service' and 'no additional execution privileges needed,' so a standard, unprivileged app with no special permissions is sufficient and no user interaction is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are sharply conflicting and must be reconciled before treating this as a P0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A locally installed, unprivileged application repeatedly invokes the vulnerable code paths to consume a finite system resource that is not reclaimed, causing the device or a core service to become unusable and to remain unusable across user sessions or reboots until manual remediation. No user interaction is required beyond the attacker app being present on the device, and no public exploit identified at time of analysis.
Remediation Apply the security patch level corresponding to the android-17 Android Security Bulletin published at https://source.android.com/docs/security/bulletin/android-17 (patch available per vendor advisory; exact fix build/patch level should be confirmed against the bulletin for the specific device). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and prioritize Android devices by business criticality; alert users and device administrators of the vulnerability and physical access risks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy