Android PackageInstallerSession Local DoS via Memory Exhaustion
CVE-2026-28575 Published on June 17, 2026
In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2026-28575 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-28575
Want to know whenever a new CVE is published for Google Android? stack.watch will email you.
Affected Versions
Google Android Version 17 is affected by CVE-2026-28575Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.