Skip to main content
CVE Vulnerability Database

CVE-2026-0014: Google Android DOS Vulnerability

CVE-2026-0014 is a persistent denial of service flaw in Google Android's AppOpsService.java caused by improper input validation. This vulnerability enables local DOS attacks without user interaction or privileges.

Updated:

CVE-2026-0014 Overview

CVE-2026-0014 is an input validation vulnerability in the isPackageNullOrSystem method of AppOpsService.java within the Android operating system. The flaw allows a local attacker to trigger a persistent denial of service condition without requiring elevated privileges or user interaction. Improper input validation [CWE-20] in the AppOps subsystem enables an attacker to put the affected component into a state that disrupts normal device operation. Google addressed the issue in the March 2026 Android Security Bulletin.

Critical Impact

A local attacker can cause a persistent denial of service on Android 14, 15, and 16 devices without user interaction, potentially requiring device reset or recovery procedures to restore functionality.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, Beta 2, and Beta 3)

Discovery Timeline

  • 2026-03-02 - CVE-2026-0014 published to NVD
  • 2026-03-06 - Last updated in NVD database

Technical Details for CVE-2026-0014

Vulnerability Analysis

The vulnerability resides in AppOpsService.java, a core Android system service that manages application operation permissions. The isPackageNullOrSystem helper method fails to properly validate input passed to it, which allows malformed or unexpected data to propagate through the AppOps permission checking logic.

When exploited, the flaw produces a persistent denial of service. Unlike transient crashes, the impact remains across reboots until manual intervention occurs. This persistence amplifies the practical impact despite the local-only attack vector.

The weakness is categorized under [CWE-20] Improper Input Validation. The attack requires local access through an installed application but does not require user interaction or any granted permissions beyond what a standard third-party app receives.

Root Cause

The isPackageNullOrSystem method in AppOpsService does not adequately sanitize or verify package identifier input before processing. The method is invoked during permission resolution operations performed across the Android system. Passing crafted input that bypasses the intended null and system-package checks corrupts state used by downstream AppOps logic, producing a persistent failure mode.

Attack Vector

Exploitation requires a local application running on the target device. The attacker invokes AppOps-related APIs with carefully crafted package references that exercise the unvalidated code path in isPackageNullOrSystem. No additional execution privileges and no user interaction are required. Refer to the Android Security Bulletin March 2026 for component-level technical details.

Detection Methods for CVE-2026-0014

Indicators of Compromise

  • Repeated crashes or restarts of the system_server process referencing AppOpsService in logcat output.
  • Persistent failure of permission-dependent system functions following installation or execution of a third-party application.
  • Unexpected entries in dropbox logs tied to AppOpsService.java stack traces.

Detection Strategies

  • Monitor Android device logs for stack traces originating from AppOpsService and the isPackageNullOrSystem method.
  • Review mobile device management (MDM) telemetry for devices reporting recurring system service crashes or degraded states.
  • Identify recently installed applications that invoke AppOps APIs with unusual package name parameters.

Monitoring Recommendations

  • Enroll Android endpoints in an enterprise mobility management platform to collect crash and reliability telemetry.
  • Track Android Security Bulletin patch level reported by managed devices and flag any device below the March 2026 patch level.
  • Establish alerting on abnormal volumes of system_server restarts across the device fleet.

How to Mitigate CVE-2026-0014

Immediate Actions Required

  • Apply the March 2026 Android Security Bulletin update on all managed devices running Android 14, 15, or 16.
  • Restrict installation of applications from untrusted sources through MDM policy enforcement.
  • Audit Android 16 QPR2 Beta participants and move affected devices off pre-release branches if possible.

Patch Information

Google released the fix as part of the Android Security Bulletin March 2026. Devices reporting a security patch level of 2026-03-01 or later contain the corrected AppOpsService input validation logic. OEM rollout timing varies, so administrators should track per-device patch levels.

Workarounds

  • Limit sideloading and enforce Play Protect on managed devices until patches are installed.
  • Use enterprise application allowlists to block untrusted third-party packages.
  • Educate users to avoid installing applications from unknown developers during the patch rollout window.
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-03-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.