CVE Catalog

CVE-2026-28575

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile — higher than 14% of all known CVEs

Summary

In PackageInstaller.Session#transfer, there is a logic error that may lead to a memory exhaustion attack. This could result in local denial of service with no additional execution privileges needed.

Risk Assessment

The organization may experience local denial of service attacks, which could impact the availability of systems and services.

Recommendation

It is recommended to monitor and update systems to mitigate this vulnerability and implement protections against denial of service attacks.

Original NVD description (English source)

In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS