{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0049", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "state": "PUBLISHED", "assignerShortName": "google_android", "dateReserved": "2025-10-15T15:39:42.902Z", "datePublished": "2026-04-06T18:20:38.337Z", "dateUpdated": "2026-04-06T18:39:43.404Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-04-06T18:32:39.782Z"}, "datePublic": "2026-04-05T18:30:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Denial of service"}]}], "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "16-qpr2"}, {"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.</p>"}]}], "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Cxxsheng (\u66f9\u5723) and Yanjie Zhao (\u8d75\u5f66\u6770) of Huazhong University of Science and Technology (\u534e\u4e2d\u79d1\u6280\u5927\u5b66) and Canyie(\u77f3\u677e\u6d32) of LSPosed Team.", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cvelib 1.7.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:39:39.296981Z", "id": "CVE-2026-0049", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:39:43.404Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-0049", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:39:39.296981Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:39:33.329Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Cxxsheng (\u66f9\u5723) and Yanjie Zhao (\u8d75\u5f66\u6770) of Huazhong University of Science and Technology (\u534e\u4e2d\u79d1\u6280\u5927\u5b66) and Canyie(\u77f3\u677e\u6d32) of LSPosed Team."}], "affected": [{"vendor": "Google", "product": "Android", "versions": [{"status": "affected", "version": "16-qpr2"}, {"status": "affected", "version": "16"}, {"status": "affected", "version": "15"}, {"status": "affected", "version": "14"}], "defaultStatus": "unaffected"}], "datePublic": "2026-04-05T18:30:00.000Z", "references": [{"url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.7.1"}, "descriptions": [{"lang": "en", "value": "In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.", "supportingMedia": [{"type": "text/html", "value": "<p>In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Denial of service"}]}], "providerMetadata": {"orgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "shortName": "google_android", "dateUpdated": "2026-04-06T18:32:39.782Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0049", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:39:43.404Z", "dateReserved": "2025-10-15T15:39:42.902Z", "assignerOrgId": "baff130e-b8d5-4e15-b3d3-c3cf5d5545c6", "datePublished": "2026-04-06T18:20:38.337Z", "assignerShortName": "google_android"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*", "matchCriteriaId": "FD695F32-4A73-4846-B1A1-04FF266E9C15", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*", "matchCriteriaId": "3DE9F018-8704-476B-8D59-F63F8486E231", "vulnerable": true}, {"criteria": "cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*", "matchCriteriaId": "BE95A642-4330-4F65-B028-3BA597D30F32", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation."}], "id": "CVE-2026-0049", "lastModified": "2026-04-10T18:54:40.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-06T19:16:26.280", "references": [{"source": "security@android.com", "tags": ["Vendor Advisory"], "url": "https://source.android.com/docs/security/bulletin/2026/2026-04-01"}], "sourceIdentifier": "security@android.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16-qpr2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "16"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "14"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Android", "source": "cna", "vendor": "Google"}, "product": "android", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-07T02:19:35.812485+00:00", "value": {"mitigation_remediation": ["Apply the latest Android security patch that addresses the LocalImageResolver denial\u2011of\u2011service issue", "Monitor Google security bulletins for an upcoming patch if one is not yet available"], "summary": {"action": "Patch ASAP", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw resides in Google Android systems. Specific affected releases are not enumerated in the data, so all currently deployed Android versions may be susceptible until a patch is released by Google.", "description_and_impact": "A vulnerability in the LocalImageResolver module of Android can cause persistent denial of service through resource exhaustion when processing image headers. This flaw allows an attacker to repeatedly trigger the onHeaderDecoded function, depleting system resources until normal operation is impaired. It is classified as a resource exhaustion weakness and does not require elevated privileges or user interaction.", "risk_and_exploitability": "The CVSS score of 6.2 indicates a moderate severity. With no EPSS data and absence from the CISA KEV list, immediate exploitation risk appears low, but a local attacker can loop the exploit to degrade service availability. The impact is strictly local denial of service, and there are no known workarounds or mitigation techniques besides applying the vendor patch."}}}}, "created": "2026-04-07T06:54:43.091167+00:00", "title": "Persistent Denial of Service via Resource Exhaustion in LocalImageResolver", "updated": "2026-04-07T09:37:47.692874+00:00", "vendors": ["google", "google$PRODUCT$android"]}