CVE-2026-28575 Overview
CVE-2026-28575 is a memory exhaustion vulnerability in the Android PackageInstaller component. The flaw resides in the PackageInstaller.Session#transfer method of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java. A logic error allows a local application to consume system resources without bound. Exploitation requires no user interaction and no additional execution privileges. Successful exploitation results in a local denial of service against the affected Android device. Google tracks the issue under CWE-400: Uncontrolled Resource Consumption and addressed it in the Android Security Bulletin for Android 17.
Critical Impact
A local, unprivileged application can exhaust device memory through PackageInstallerSession.transfer, causing system-wide denial of service without user interaction.
Affected Products
- Google Android 17.0
- Devices running the frameworks/base package installer service from Android 17
- AOSP builds incorporating the unpatched PackageInstallerSession.java
Discovery Timeline
- 2026-06-17 - CVE-2026-28575 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-28575
Vulnerability Analysis
The vulnerability sits inside the PackageInstaller.Session#transfer code path in PackageInstallerSession.java. This method handles transferring ownership of an installation session between callers. A logic error in the resource handling allows a caller to repeatedly invoke the transfer operation or supply parameters that drive unbounded memory allocation. The condition is classified under [CWE-400], indicating uncontrolled resource consumption rather than a memory safety bug. Because the package installer runs as a privileged system service, exhausting its memory affects core platform functionality and can destabilize the device.
Root Cause
The root cause is a missing or incorrect bounds check inside the session transfer logic. The code path does not enforce limits on the allocation triggered by transfer requests. Each request grows the resident memory footprint of the system process. With no cap on retained state, repeated invocations push the device into low-memory states. The Android Security Bulletin lists the issue as a logic error in the code rather than a corruption primitive.
Attack Vector
A locally installed application invokes the PackageInstaller APIs and triggers the vulnerable transfer path repeatedly. No special permissions, signature checks, or user prompts gate the abusive call sequence. The attacker application does not need to win a race or supply crafted binaries. Sustained calls drive the package installer service memory upward until the system low-memory killer terminates critical processes, producing a denial-of-service condition. Network-based exploitation is not described in the advisory; the practical attack surface is local code already running on the device.
Detailed proof-of-concept code is not publicly available. Refer to the Android Security Bulletin for technical specifics tied to the upstream AOSP patch.
Detection Methods for CVE-2026-28575
Indicators of Compromise
- Repeated PackageInstaller.Session transfer calls from a single third-party application UID in logcat.
- Sustained growth of resident memory for the system_server or PackageInstaller process without corresponding install activity.
- Frequent low-memory killer events terminating foreground apps shortly after a specific application launches.
- ANR (Application Not Responding) reports tied to package management services.
Detection Strategies
- Monitor mobile telemetry for anomalous invocation rates of PackageInstallerSession APIs by non-system applications.
- Inspect dumpsys meminfo snapshots over time to baseline normal package installer memory and flag deviations.
- Correlate application install times with subsequent device instability events in mobile threat defense logs.
Monitoring Recommendations
- Ingest Android device logs into a centralized analytics platform and alert on repeated PackageInstaller session creation or transfer events from the same UID.
- Track Android security patch level across the managed fleet and flag devices that remain below the Android 17 patch baseline.
- Review newly installed applications that request INSTALL_PACKAGES-adjacent capabilities for unexpected behavior.
How to Mitigate CVE-2026-28575
Immediate Actions Required
- Apply the Android 17 security update published in the Android Security Bulletin as soon as the OEM build is available.
- Restrict sideloading on managed devices through enterprise mobility management policies until patches are deployed.
- Audit installed applications and remove untrusted packages that interact with PackageInstaller APIs.
Patch Information
Google has released a fix as part of the Android 17 platform update. The patch corrects the logic error in PackageInstaller.Session#transfer within frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java. Device manufacturers must integrate the AOSP patch and ship it through their respective OTA channels. Verify the device security patch level reflects the Android 17 bulletin date after updating.
Workarounds
- Disable installation from unknown sources on user and work profiles through MDM configuration.
- Limit the set of applications permitted to call package management APIs using enterprise allowlists.
- Reboot affected devices to reclaim exhausted memory while patches are being staged.
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
adb shell getprop ro.build.version.release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
