How is CVE-2026-28575 exploited?

Network reachability (not-required): The vulnerability is exploited locally; the attacker needs an existing shell or process on the host, with no over-the-network access required. Authentication (not-required): No privileges are required; any process running on the device can trigger the memory exhaustion without holding any account credentials or elevated permissions. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the fault entirely from their own process without prompting or involving another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout dependencies, or other environmental prerequisites.

What is the impact of CVE-2026-28575?

Crashes or hangs the PackageInstaller service, preventing any application installation or update operations on the affected device. Sustained memory exhaustion can trigger system-wide low-memory conditions, causing the Android OS to kill unrelated foreground and background processes. Persistent exploitation can render the device unresponsive, effectively producing a hard denial-of-service until the device is rebooted. In environments where Android system components are bundled into container images (for example, emulator or CI pipeline images), the host workload running that image becomes unavailable for the duration of the attack.

Back to search

CRITICALCVE-2026-28575Published 2026-06-17Modified 2026-06-17CNA google_android

CVE-2026-28575: In PackageInstaller

In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A memory exhaustion vulnerability exists in the Android PackageInstaller component, specifically in the PackageInstaller.Session#transfer method. The flaw is caused by a logic error that allows an attacker to trigger unbounded memory consumption on the device, requiring no privileges and no user interaction. Successful exploitation causes a local denial of service, crashing or hanging the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Android security feeds and matched against customer images within minutes of publication, including custom-built images that bundle Android system components or derive from Android-based base images.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and weights it against each environment's compliance policy to determine priority and routing. Triage signals are surfaced to the appropriate team inbox within each customer organization based on configured severity thresholds.

Available

Patch

Because no fix version has been published yet, HarborGuard re-checks the upstream Android advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Google ships a remediation. Customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The vulnerability is exploited locally; the attacker needs an existing shell or process on the host, with no over-the-network access required.
AuthenticationNot required
No privileges are required; any process running on the device can trigger the memory exhaustion without holding any account credentials or elevated permissions.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the fault entirely from their own process without prompting or involving another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no specific race conditions, memory layout dependencies, or other environmental prerequisites.

Blast Radius

Crashes or hangs the PackageInstaller service, preventing any application installation or update operations on the affected device.
Sustained memory exhaustion can trigger system-wide low-memory conditions, causing the Android OS to kill unrelated foreground and background processes.
Persistent exploitation can render the device unresponsive, effectively producing a hard denial-of-service until the device is rebooted.
In environments where Android system components are bundled into container images (for example, emulator or CI pipeline images), the host workload running that image becomes unavailable for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: as soon as this CVE was published, matching against all customer registries and CI pipelines became active, covering both upstream Android base images and any custom-built images that include the affected PackageInstaller component. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle. In the interim, compensating controls are available: network-policy isolation to restrict inter-process communication surfaces on affected workloads, egress filtering to limit what processes can reach package-staging endpoints, and feature-flag gating to disable installer session transfer paths where the application stack permits it. For customers with auto-remediation enabled, a patched-image rebuild, regression-test run, and PR against affected workloads will be initiated automatically the moment Google publishes a fix version, with a median time from CVE patch publication to merged PR of around 90 minutes for Critical-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

Google / Android
17

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

source.android.com

Metrics

Get notified