CVE-2022-47028
Description
An issue discovered in Action Launcher for Android v50.5 allows an attacker to cause a denial of service via arbitary data injection to function insert.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Action Launcher v50.5 allows unauthorized apps to inject large data into its database, causing permanent denial of service when the launcher loads the data on startup.
Vulnerability
Action Launcher for Android version 50.5 exposes a content provider at content://com.actionlauncher.playstore.settings/favorites that allows any installed application to insert arbitrary data without authentication. The launcher loads all entries from this provider into memory on the UI thread during its initialization phase. By injecting a large number of oversized records (e.g., 102400-byte titles), an attacker can cause the launcher to become stuck while processing the excessive data [1].
Exploitation
An attacker must have a malicious application installed on the same device; no elevated permissions are required beyond the default Android content provider access. The malicious app repeatedly calls ContentResolver.insert() on the vulnerable URI, inserting entries with large title values. When the user subsequently opens Action Launcher (or if it is the default launcher and the device is rebooted), the launcher attempts to load all stored data into memory on the main thread. This blocks the UI thread, preventing the launcher from displaying home screens or responding to user input. The injected data persists in the database, so the denial of service persists across reboots [1].
Impact
Successful exploitation results in a permanent denial of service. The launcher becomes unresponsive and cannot be used to navigate the device. Since the launcher is often set as the default home screen, the user may be unable to access other apps or settings without external assistance (e.g., booting into safe mode or using ADB to clear the app's data). The attack does not require any user interaction beyond installing the malicious app [1].
Mitigation
As of the publication date (2023-05-30), no official fix has been released by the vendor. Users should monitor the Google Play Store for updates to Action Launcher. In the meantime, affected users can mitigate the issue by uninstalling or disabling Action Launcher, or by using a different launcher application. If the device is already compromised, clearing the app's data via Android's application settings or ADB may restore functionality [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Action Launcher/Action Launcherdescription
- Range: =50.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.