Medium severity6.2NVD Advisory· Published Apr 6, 2026· Updated Apr 10, 2026

CVE-2026-0049

Description

In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

Affected products

Google/Android6 versions
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*
- cpe:2.3:o:google:android:16.0:qpr2_beta_1:*:*:*:*:*:*
- cpe:2.3:o:google:android:16.0:qpr2_beta_2:*:*:*:*:*:*
- cpe:2.3:o:google:android:16.0:qpr2_beta_3:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

source.android.com/docs/security/bulletin/2026/2026-04-01nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000