CVE-2026-28575
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
In PackageInstaller.Session#transfer, there is a logic error that may lead to a memory exhaustion attack. This could result in local denial of service with no additional execution privileges needed.
Risk Assessment
The organization may experience local denial of service attacks, which could impact the availability of systems and services.
Recommendation
It is recommended to monitor and update systems to mitigate this vulnerability and implement protections against denial of service attacks.
Original NVD description (English source)
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

