Description
In isSameApp of NotificationManagerService.java, there is a possible persistent dos due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-01
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the isSameApp method of NotificationManagerService.java and can cause persistent resource exhaustion, leading to a local denial of service. Because the attack requires only local execution and no additional privileges, any user on the device can potentially exploit it. The impact is downtime of the notification subsystem and disruption of application visibility and user experience.

Affected Systems

The flaw is present on systems running Google’s Android operating system. No specific versions are listed in the CVE data, so all current Android releases may be affected until a patch is issued.

Risk and Exploitability

The CVSS score of 5.5 and the EPSS score is unavailable, indicating the vulnerability has a moderate severity yet the likelihood of exploitation remains uncertain. Because the flaw is local and requires no additional privileges, an attacker with physical or local access could trigger it by interacting with notification handling, potentially leading to prolonged service disruption. This vulnerability is not yet listed in the CISA KEV catalog, but the local denial of service could negatively impact device usability.

Generated by OpenCVE AI on June 2, 2026 at 01:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Android Security Bulletin update 2026-06-01 to address the resource exhaustion in NotificationManagerService
  • Limit or remove applications that generate excessive notifications from the same app to reduce the risk of resource exhaustion
  • Monitor the notification queue for abnormal growth and, if possible, enforce application‑level limits on notification creation

Generated by OpenCVE AI on June 2, 2026 at 01:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Persistent Denial of Service via Resource Exhaustion in NotificationManagerService isSameApp

Tue, 02 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Persistent Denial of Service via Resource Exhaustion in NotificationManagerService isSameApp
First Time appeared Google
Google android
Weaknesses CWE-400
Vendors & Products Google
Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description In isSameApp of NotificationManagerService.java, there is a possible persistent dos due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-01T23:44:05.093Z

Reserved: 2025-05-22T18:12:46.995Z

Link: CVE-2025-48648

cve-icon Vulnrichment

Updated: 2026-06-01T23:43:55.375Z

cve-icon NVD

Status : Received

Published: 2026-06-01T22:16:18.827

Modified: 2026-06-02T00:16:31.963

Link: CVE-2025-48648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T02:00:14Z

Weaknesses