Description
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-04-06
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Persistent Denial of Service via Resource Exhaustion
Action: Apply Patch
AI Analysis

Impact

The flaw exists in the image decoding routine of the Android operating system, where the header decoding logic can be abused to exhaust device resources. The attacker does not need elevated privileges or any interactive step – simply loading a crafted image locally triggers the denial. Affected processes may become unresponsive or terminate, leading to a service interruption for the user.

Affected Systems

Android devices running versions 14, 15, and 16, including the QPR2 beta 1, 2, and 3 releases from Google, are impacted.

Risk and Exploitability

The current scoring reflects a moderate severity rating, but the likelihood of exploitation in the wild is very low, as the EPSS score is below one percent and the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Because the flaw is local and does not demand user interaction, any app that loads images may be susceptible, yet the overall operational risk remains limited to the affected device or application.

Generated by OpenCVE AI on April 10, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Android security patch that addresses the LocalImageResolver issue for the specific OS version on the device.
  • If an official patch is not yet available, limit or disable the loading of untrusted or specially crafted images by configuring app permissions or using device management policies to restrict image decoding.
  • Monitor device logs for repeated memory exhaustion or crash events related to image processing, and take corrective action if such events recur.

Generated by OpenCVE AI on April 10, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Persistent Denial of Service via Resource Exhaustion in LocalImageResolver

Fri, 10 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Persistent Denial of Service via Resource Exhaustion in LocalImageResolver

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-04-13T16:57:00.317Z

Reserved: 2025-10-15T15:39:42.902Z

Link: CVE-2026-0049

cve-icon Vulnrichment

Updated: 2026-04-06T18:39:33.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T19:16:26.280

Modified: 2026-04-10T18:54:40.540

Link: CVE-2026-0049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:37Z

Weaknesses