EUVD-2026-37566Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Description specifies local DoS triggerable by any app without user interaction, so AV:L, PR:L, UI:N, A:H only; no confidentiality or integrity impact and no scope change.
Primary rating from Vendor (google_android).
CVSS VectorVendor: google_android
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Lifecycle Timeline
2DescriptionCVE.org
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Articles & Coverage 1
AnalysisAI
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.transfer() that allows a local app to trigger memory exhaustion of the system package installer. The flaw, addressed in the Android Security Bulletin for Android 17, can be triggered without user interaction and without elevated privileges, but its impact is confined to denial of service rather than code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to have code execution as an installed Android application on the target device (any normal app context is sufficient - no system privileges or user interaction needed) and the ability to call into PackageInstaller.Session#transfer on a vulnerable Android build prior to the Android 17 bulletin patch level. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals here conflict sharply and warrant analyst attention. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious app installed from a third-party source (or a benign app later compromised) invokes PackageInstaller.Session#transfer in a crafted sequence that triggers the logic error, causing the system package installer to consume excess memory. The resulting OutOfMemory condition can crash system_server or stall package management on the device, requiring a reboot or recovery action; no public proof-of-concept has been identified. |
| Remediation | Patch available per vendor advisory: apply the Android security patch level associated with the Android 17 bulletin at https://source.android.com/docs/security/bulletin/android-17 as soon as the OEM and carrier ship it for the affected device. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Android devices and determine OS versions; prioritize business-critical infrastructure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath ev
Share
External POC / Exploit Code
Leaving vuln.today