Skip to main content
CVE Vulnerability Database

CVE-2026-0074: Google Android DOS Vulnerability

CVE-2026-0074 is a denial of service vulnerability in Google Android caused by resource exhaustion in LauncherProcessImageListener.kt. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-0074 Overview

CVE-2026-0074 is a local denial of service vulnerability in Google Android. The flaw resides in the getPreferredSize function of LauncherProcessImageListener.kt. Resource exhaustion in this component allows a local attacker to trigger a denial of service condition without user interaction. The vulnerability is mapped to CWE-400: Uncontrolled Resource Consumption. Google addressed the issue in the Android Security Bulletin June 2026. Affected releases include Android 14, Android 15, and Android 16 (including QPR2 Beta 1, 2, and 3).

Critical Impact

Local attackers with low privileges can exhaust device resources and cause denial of service on affected Android devices without requiring user interaction.

Affected Products

  • Google Android 14.0
  • Google Android 15.0
  • Google Android 16.0 (including QPR2 Beta 1, 2, and 3)

Discovery Timeline

  • 2026-06-01 - Google releases security patch in Android Security Bulletin June 2026
  • 2026-06-01 - CVE-2026-0074 published to NVD
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-0074

Vulnerability Analysis

The vulnerability exists in the getPreferredSize method of LauncherProcessImageListener.kt, a Kotlin component within the Android launcher process. The function fails to bound resource consumption when computing or returning preferred image sizes. A local actor can invoke conditions that cause the listener to consume excessive memory or CPU resources. This leads to a denial of service on the local device.

The weakness is classified under CWE-400: Uncontrolled Resource Consumption. No additional execution privileges are required beyond local access. The impact is restricted to availability — confidentiality and integrity are not affected.

Root Cause

The root cause is insufficient validation or limiting of resource usage within getPreferredSize. When the listener processes image-related size requests, it does not enforce upper bounds on the work performed. The launcher process can be driven into a state where it consumes resources until system stability degrades. See the Android Security Bulletin June 2026 for vendor technical details.

Attack Vector

Exploitation requires local access with low privileges. An attacker running code on the device — for example, through a malicious or compromised application — can interact with the launcher component to trigger the resource exhaustion path. User interaction is not required. Successful exploitation renders the launcher or device unresponsive until the process is restarted. No public proof-of-concept code or exploit is currently available.

Detection Methods for CVE-2026-0074

Indicators of Compromise

  • Repeated crashes or unresponsiveness of the Android launcher process (SystemUI or OEM launcher).
  • Anomalous spikes in CPU or memory usage attributed to the launcher process on affected Android versions.
  • Application installations from untrusted sources preceding launcher instability.

Detection Strategies

  • Monitor Android system logs (logcat) for ANR (Application Not Responding) events tied to the launcher process and LauncherProcessImageListener.
  • Inspect mobile device management (MDM) telemetry for repeated launcher restarts on Android 14, 15, and 16 endpoints.
  • Review installed application inventory for unsigned or sideloaded apps that interact with launcher services.

Monitoring Recommendations

  • Track Android patch level against the June 2026 security bulletin across the device fleet.
  • Alert on devices reporting elevated process kill rates or out-of-memory events on the launcher process.
  • Correlate device instability events with recent app installation activity through MDM or EMM platforms.

How to Mitigate CVE-2026-0074

Immediate Actions Required

  • Apply the Android June 2026 security patch level to all managed devices running Android 14, 15, or 16.
  • Restrict installation of applications from unknown sources through MDM policy.
  • Audit devices running Android 16 QPR2 Beta builds and move them to patched release builds.

Patch Information

Google published the fix in the Android Security Bulletin June 2026. Devices should be updated to the 2026-06-01 security patch level or later. OEM device updates may follow Google's release on a vendor-specific schedule, so confirm patch availability with the device manufacturer.

Workarounds

  • Limit application sideloading and enforce Google Play Protect on managed devices until patches are deployed.
  • Use enterprise mobility management to enforce minimum Android security patch levels for corporate access.
  • Reboot affected devices to restore launcher functionality if denial of service is observed prior to patching.
bash
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.