CVE-2026-0018 - Vulnerability Details

- Local Denial of Service via Improper Input Validation in AccessibilityManagerService

Description

In multiple functions of AccessibilityManagerService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Published: 2026-06-01

Score: 5.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In multiple functions of AccessibilityManagerService.java, improper input validation allows an application to trigger a persistent denial of service. The flaw does not require elevated privileges and does not need any user interaction; once exploited it can render the accessibility framework unresponsive, potentially causing application crashes or service unavailability.

Affected Systems

This weakness affects Android devices running Google’s Android operating system. The specific affected releases are not listed in the data, but the issue is documented in the 2026‑06‑01 Android security bulletin and applies to all services that invoke the vulnerable AccessibilityManagerService API.

Risk and Exploitability

The vulnerability is a local denial of service; an attacker must have local access to the device or be able to execute code that can call the malfunctioning API. The CVSS score of 5.5 indicates moderate severity. No exploit probability score is available, and it is not listed in CISA’s KEV catalog. The impact is significant for device stability and user experience, but the attack requires only local execution without a direct user interaction. The risk is therefore moderate to high for users unable to apply the security update promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

Android

unaffected

Version	Status	Constraints
`16-qpr2`	affected	—
`16`	affected	—
`15`	affected	—

No data.

Vendor Product Confidence Versions

Google

Android

100%

Version	Status	Scheme	Platform
`16-qpr2`	affected	generic	—
`16`	affected	generic	—
`15`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Android security update for CVE‑2026‑0018 as detailed in the Android security bulletin
Review and harden the input validation of AccessibilityManagerService methods to comply with CWE‑20 guidelines
If immediate update is not possible, disable or limit the use of affected accessibility services to prevent exploitation
Monitor system logs for repeated crashes of AccessibilityManagerService and consider reverting to a known stable configuration if instability persists

Generated by OpenCVE AI on June 2, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://source.android.com/docs/security/bulletin/2026/2026-06-01

History

Tue, 02 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
Title		Local Denial of Service via Improper Input Validation in AccessibilityManagerService

Tue, 02 Jun 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title	Denial of Service via Improper Input Validation in Android AccessibilityManagerService
Weaknesses	CWE-400

Tue, 02 Jun 2026 00:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Improper Input Validation in Android AccessibilityManagerService
First Time appeared		Google Google android
Weaknesses		CWE-400
Vendors & Products		Google Google android

Mon, 01 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		In multiple functions of AccessibilityManagerService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References		https://source.android.com/docs/security/bulletin/2026/2026-06-01

Subscriptions

Google Android

MITRE

Status: PUBLISHED

Assigner: google_android

Published: 2026-06-01T21:14:51.309Z

Updated: 2026-06-01T23:42:34.471Z

Reserved: 2025-10-15T15:38:52.105Z

Link: CVE-2026-0018

Vulnrichment

Updated: 2026-06-01T23:42:25.711Z

NVD

Status : Received

Published: 2026-06-01T22:16:19.417

Modified: 2026-06-02T00:16:33.443

Link: CVE-2026-0018

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T03:30:26Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object