Description
In isPackageNullOrSystem of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-03-02
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the isPackageNullOrSystem method of Android's AppOpsService.java. Improper input validation can trigger a persistent denial of service by causing the service to crash or become unresponsive. The flaw requires no elevated privileges or user interaction, meaning a local attacker with access to the device can exploit the flaw to halt or degrade the operation of the affected service.

Affected Systems

The flaw affects Android devices running versions 14.0, 15.0, 16.0, and the 16.0 beta releases 1 through 3. Any device running these builds without the corresponding security update is vulnerable.

Risk and Exploitability

The CVSS base score is 6.2, indicating moderate severity. The EPSS score is below 1 %, and the flaw is not listed in the CISA KEV catalog. Because the exploitation requires only local access and no privileges, a malicious application could exploit the flaw by sending crafted requests to the AppOpsService. The lack of user interaction lowers the barrier for exploitation, but an attacker would still need entry into the device to trigger the denial of service.

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Android release that includes the security fix for the AppOpsService input‑validation bug.
  • If a device update is not yet available, restrict installation of unfamiliar applications and keep Google Play Protect enabled to reduce the risk of malicious payloads targeting the service.
  • Use device management policies to limit or monitor access to the AppOpsService, and observe for repeated crashes or performance degradation that may indicate exploitation.

Generated by OpenCVE AI on April 16, 2026 at 14:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Title AppOpsService Input Validation Denial of Service

Fri, 06 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
References

Fri, 06 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:* cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 03 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2:*:*:*:*:*:*
Vendors & Products Google
Google android

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description In isPackageNullOrSystem of AppOpsService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-03-06T03:49:02.217Z

Reserved: 2025-10-15T15:38:45.196Z

Link: CVE-2026-0014

cve-icon Vulnrichment

Updated: 2026-03-02T21:23:32.317Z

cve-icon NVD

Status : Modified

Published: 2026-03-02T19:16:29.913

Modified: 2026-03-06T04:16:03.863

Link: CVE-2026-0014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses