Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28573

CVE-2026-28573: Android Manifest DoS Vulnerability

CVE-2026-28573 is a persistent denial of service vulnerability in AndroidManifest.xml caused by missing permission checks. Attackers can exploit this locally without privileges or user interaction. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-28573 Overview

CVE-2026-28573 is a persistent denial of service vulnerability affecting Android Wear. The flaw originates in AndroidManifest.xml, where a missing permission check exposes a component to unauthorized local callers. An attacker with a locally installed application can invoke the unprotected component and trigger a denial of service condition that persists across reboots.

Exploitation requires no additional execution privileges and no user interaction. The issue is documented in the Android Wear security bulletin for June 2026.

Critical Impact

A local application can cause a persistent denial of service on Android Wear devices without user interaction or elevated privileges.

Affected Products

  • Android Wear (referenced in the June 2026 Android Wear Security Bulletin)
  • Devices running Wear OS components that ship the affected manifest declaration
  • Downstream OEM Wear OS builds inheriting the vulnerable component

Discovery Timeline

  • 2026-06-18 - CVE-2026-28573 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-28573

Vulnerability Analysis

The vulnerability is a Mobile App Vulnerability rooted in missing authorization on an exported Android component. AndroidManifest.xml declares a component without the required android:permission attribute, allowing any local process to bind to or invoke it. When the component receives a crafted invocation, it enters a state that the system cannot recover from on its own.

The denial of service is persistent. The affected service or process remains unusable after device restarts, which differentiates this issue from transient crash bugs. Functionality dependent on the component, such as system services or watch face routines, becomes unavailable until the device is reset or the affected package is reinstalled.

Because exploitation occurs through standard Android interprocess communication (IPC), no native code execution path is required. The attacker leverages legitimate Android APIs against an improperly secured endpoint.

Root Cause

The root cause is missing access control in the manifest declaration. Android components must declare a signature or system-level permission when they expose privileged behavior. The vulnerable component omits this guard, so the Android Binder framework does not enforce a caller permission check. This is a configuration and design flaw aligned with Broken Access Control patterns.

Attack Vector

A malicious application installed on a Wear OS device sends an Intent or Binder transaction to the unprotected component. The component processes the input and reaches a state corruption or resource exhaustion condition that persists across the system_server lifecycle. No permissions are requested in the attacker manifest, which reduces install-time warnings to the user.

See the Android Wear Security Bulletin (June 2026) for the upstream technical reference.

Detection Methods for CVE-2026-28573

Indicators of Compromise

  • Repeated crashes or ANR (Application Not Responding) events tied to a Wear OS system component after installation of a third-party application
  • Wear OS subsystems becoming unavailable until factory reset or reinstall
  • logcat entries showing unauthorized Binder transactions against the vulnerable component

Detection Strategies

  • Inspect installed package manifests for components that interact with Wear OS system services without holding signature-level permissions
  • Review device bug reports for persistent service failures that survive reboot
  • Audit application install events on managed Wear devices and correlate with subsequent system instability

Monitoring Recommendations

  • Forward Wear OS logcat and dropbox crash artifacts to a centralized log store for analysis
  • Track installation of sideloaded APKs on enrolled Wear devices through mobile device management (MDM) telemetry
  • Alert on repeated system_server or Wear OS service restarts originating from the same caller UID

How to Mitigate CVE-2026-28573

Immediate Actions Required

  • Apply the June 2026 Wear OS security patch level on all affected devices
  • Restrict installation of untrusted applications on managed Wear OS devices through enterprise mobility policy
  • Remove or disable any third-party application observed triggering persistent Wear service failures

Patch Information

Google published the fix in the Android Wear Security Bulletin for June 2026. Devices reporting a security patch level of 2026-06-01 or later include the manifest correction that adds the missing permission check. OEMs distributing Wear OS builds must integrate the upstream change and ship updated firmware to end users.

Workarounds

  • Block sideloading and enforce installation only from vetted application sources on Wear OS devices
  • Use MDM policies to allowlist applications permitted on corporate-owned wearables
  • Factory reset affected devices to restore functionality if the denial of service has already been triggered
bash
# Verify the Wear OS security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output: 2026-06-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne