Description
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic error in the transfer method of PackageInstaller.Session can cause uncontrolled memory consumption, enabling a local denial‑of‑service attack without any user interaction or additional privileges. The flaw is rated with a CVSS score of 10, indicating critical severity, and the EPSS score is less than 1%, showing very low expected exploitation. The vulnerability is not listed in the CISA KEV catalog, limiting known exploitation records at this time.

Affected Systems

The affected product is Android, as provided by Google, specifically the PackageInstaller component within frameworks/base services core. The exact version range is not specified, but the reference to the Android 17 security bulletin suggests that devices running that release and later may be impacted.

Risk and Exploitability

The weakness falls under resource exhaustion (CWE‑400). An attacker only needs local access to the device or ability to invoke the vulnerable method; no elevated privileges are required. Because exploitation requires local interaction and the EPSS score is below 1%, the likelihood of a real‑world attack is low, but the impact of a successful denial‑of‑service could be significant for end‑users, potentially disrupting application installation and device functionality.

Generated by OpenCVE AI on June 17, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Android OS update that includes the fix for this memory exhaustion flaw.
  • Restrict installation privileges for untrusted applications or disable the PackageInstaller service if it is not needed for device operation.
  • Monitor system logs and memory usage for symptoms of exhaustion and reboot the device if instability or repeated failures occur.

Generated by OpenCVE AI on June 17, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Vendors & Products Google
Google android

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Google Android
cve-icon MITRE

Status: PUBLISHED

Assigner: google_android

Published:

Updated: 2026-06-17T14:01:52.523Z

Reserved: 2026-03-02T19:10:53.531Z

Link: CVE-2026-28575

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:00:06Z

Weaknesses

No weakness.